Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-07-2022 11:51

General

  • Target

    RTGS_Payment.zip

  • Size

    328KB

  • MD5

    1d0ae9996cead47fb88bfff3c6ad1e16

  • SHA1

    234ec1f3e2fa4e618bcaabbc3f01c13f20436bdd

  • SHA256

    b5d3d965444fd3e7a0df7821d7ac2343dd3e4feb9fcd12e2be0910cee2b51850

  • SHA512

    4e38e06a3c1a0b1c929f8acadea4e86a5a84cc32e86f26daf02c9f320f7c10485ff8c2910dc31d0d82c9c0b7f9b89b1efe33e79c16c5362d879c562a104ce371

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Kutaki Executable 11 IoCs
  • Executes dropped EXE 8 IoCs
  • Drops startup file 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RTGS_Payment.zip
    1⤵
      PID:3816
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1708
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RTGS_Payment.zip"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2752
      • C:\Users\Admin\Desktop\RTGS_Payment.exe
        "C:\Users\Admin\Desktop\RTGS_Payment.exe"
        1⤵
        • Executes dropped EXE
        • Drops startup file
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
          2⤵
            PID:2396
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2256
        • C:\Users\Admin\Desktop\RTGS_Payment.exe
          "C:\Users\Admin\Desktop\RTGS_Payment.exe"
          1⤵
          • Executes dropped EXE
          • Drops startup file
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
            2⤵
              PID:4868
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im qasjajch.exe /f
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2516
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3780
          • C:\Users\Admin\Desktop\RTGS_Payment.exe
            "C:\Users\Admin\Desktop\RTGS_Payment.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2040
          • C:\Users\Admin\Desktop\RTGS_Payment.exe
            "C:\Users\Admin\Desktop\RTGS_Payment.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3668
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1424
            • C:\Users\Admin\Desktop\RTGS_Payment.exe
              RTGS_Payment.exe
              2⤵
              • Executes dropped EXE
              • Drops startup file
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3108
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
                3⤵
                  PID:4752
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im qasjajch.exe /f
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2184
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:4428

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\Desktop\RTGS_Payment.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\Desktop\RTGS_Payment.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\Desktop\RTGS_Payment.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\Desktop\RTGS_Payment.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\Desktop\RTGS_Payment.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • C:\Users\Admin\Desktop\RTGS_Payment.exe

              Filesize

              968KB

              MD5

              a6e5804f4d6a9a2a823a70ad37db3716

              SHA1

              f20ce20488fb607162285b0ccac95bc965bf116d

              SHA256

              5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743

              SHA512

              cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be

            • memory/2184-160-0x0000000000000000-mapping.dmp

            • memory/2256-135-0x0000000000000000-mapping.dmp

            • memory/2396-134-0x0000000000000000-mapping.dmp

            • memory/2516-148-0x0000000000000000-mapping.dmp

            • memory/3108-155-0x0000000000000000-mapping.dmp

            • memory/3780-151-0x0000000000000000-mapping.dmp

            • memory/4428-162-0x0000000000000000-mapping.dmp

            • memory/4752-159-0x0000000000000000-mapping.dmp

            • memory/4868-146-0x0000000000000000-mapping.dmp