Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-07-2022 11:51
Static task
static1
General
-
Target
RTGS_Payment.zip
-
Size
328KB
-
MD5
1d0ae9996cead47fb88bfff3c6ad1e16
-
SHA1
234ec1f3e2fa4e618bcaabbc3f01c13f20436bdd
-
SHA256
b5d3d965444fd3e7a0df7821d7ac2343dd3e4feb9fcd12e2be0910cee2b51850
-
SHA512
4e38e06a3c1a0b1c929f8acadea4e86a5a84cc32e86f26daf02c9f320f7c10485ff8c2910dc31d0d82c9c0b7f9b89b1efe33e79c16c5362d879c562a104ce371
Malware Config
Signatures
-
Kutaki Executable 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\RTGS_Payment.exe family_kutaki C:\Users\Admin\Desktop\RTGS_Payment.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe family_kutaki C:\Users\Admin\Desktop\RTGS_Payment.exe family_kutaki C:\Users\Admin\Desktop\RTGS_Payment.exe family_kutaki C:\Users\Admin\Desktop\RTGS_Payment.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe family_kutaki C:\Users\Admin\Desktop\RTGS_Payment.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe family_kutaki -
Executes dropped EXE 8 IoCs
Processes:
RTGS_Payment.exeqasjajch.exeRTGS_Payment.exeRTGS_Payment.exeRTGS_Payment.exeqasjajch.exeRTGS_Payment.exeqasjajch.exepid process 2440 RTGS_Payment.exe 2256 qasjajch.exe 2244 RTGS_Payment.exe 2040 RTGS_Payment.exe 3668 RTGS_Payment.exe 3780 qasjajch.exe 3108 RTGS_Payment.exe 4428 qasjajch.exe -
Drops startup file 6 IoCs
Processes:
RTGS_Payment.exeRTGS_Payment.exeRTGS_Payment.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe RTGS_Payment.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe RTGS_Payment.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe RTGS_Payment.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe RTGS_Payment.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe RTGS_Payment.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe RTGS_Payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2516 taskkill.exe 2184 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zFM.exetaskkill.exetaskkill.exedescription pid process Token: SeRestorePrivilege 2752 7zFM.exe Token: 35 2752 7zFM.exe Token: SeSecurityPrivilege 2752 7zFM.exe Token: SeDebugPrivilege 2516 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exepid process 2752 7zFM.exe 2752 7zFM.exe 2752 7zFM.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
RTGS_Payment.exeqasjajch.exeRTGS_Payment.exeRTGS_Payment.exeRTGS_Payment.exeqasjajch.exeRTGS_Payment.exeqasjajch.exepid process 2440 RTGS_Payment.exe 2440 RTGS_Payment.exe 2440 RTGS_Payment.exe 2256 qasjajch.exe 2256 qasjajch.exe 2256 qasjajch.exe 2244 RTGS_Payment.exe 2244 RTGS_Payment.exe 2244 RTGS_Payment.exe 2040 RTGS_Payment.exe 2040 RTGS_Payment.exe 2040 RTGS_Payment.exe 3668 RTGS_Payment.exe 3668 RTGS_Payment.exe 3668 RTGS_Payment.exe 3780 qasjajch.exe 3780 qasjajch.exe 3780 qasjajch.exe 3108 RTGS_Payment.exe 3108 RTGS_Payment.exe 3108 RTGS_Payment.exe 4428 qasjajch.exe 4428 qasjajch.exe 4428 qasjajch.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
RTGS_Payment.exeRTGS_Payment.execmd.exeRTGS_Payment.exedescription pid process target process PID 2440 wrote to memory of 2396 2440 RTGS_Payment.exe cmd.exe PID 2440 wrote to memory of 2396 2440 RTGS_Payment.exe cmd.exe PID 2440 wrote to memory of 2396 2440 RTGS_Payment.exe cmd.exe PID 2440 wrote to memory of 2256 2440 RTGS_Payment.exe qasjajch.exe PID 2440 wrote to memory of 2256 2440 RTGS_Payment.exe qasjajch.exe PID 2440 wrote to memory of 2256 2440 RTGS_Payment.exe qasjajch.exe PID 2244 wrote to memory of 4868 2244 RTGS_Payment.exe cmd.exe PID 2244 wrote to memory of 4868 2244 RTGS_Payment.exe cmd.exe PID 2244 wrote to memory of 4868 2244 RTGS_Payment.exe cmd.exe PID 2244 wrote to memory of 2516 2244 RTGS_Payment.exe taskkill.exe PID 2244 wrote to memory of 2516 2244 RTGS_Payment.exe taskkill.exe PID 2244 wrote to memory of 2516 2244 RTGS_Payment.exe taskkill.exe PID 2244 wrote to memory of 3780 2244 RTGS_Payment.exe qasjajch.exe PID 2244 wrote to memory of 3780 2244 RTGS_Payment.exe qasjajch.exe PID 2244 wrote to memory of 3780 2244 RTGS_Payment.exe qasjajch.exe PID 1424 wrote to memory of 3108 1424 cmd.exe RTGS_Payment.exe PID 1424 wrote to memory of 3108 1424 cmd.exe RTGS_Payment.exe PID 1424 wrote to memory of 3108 1424 cmd.exe RTGS_Payment.exe PID 3108 wrote to memory of 4752 3108 RTGS_Payment.exe cmd.exe PID 3108 wrote to memory of 4752 3108 RTGS_Payment.exe cmd.exe PID 3108 wrote to memory of 4752 3108 RTGS_Payment.exe cmd.exe PID 3108 wrote to memory of 2184 3108 RTGS_Payment.exe taskkill.exe PID 3108 wrote to memory of 2184 3108 RTGS_Payment.exe taskkill.exe PID 3108 wrote to memory of 2184 3108 RTGS_Payment.exe taskkill.exe PID 3108 wrote to memory of 4428 3108 RTGS_Payment.exe qasjajch.exe PID 3108 wrote to memory of 4428 3108 RTGS_Payment.exe qasjajch.exe PID 3108 wrote to memory of 4428 3108 RTGS_Payment.exe qasjajch.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RTGS_Payment.zip1⤵PID:3816
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1708
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RTGS_Payment.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2752
-
C:\Users\Admin\Desktop\RTGS_Payment.exe"C:\Users\Admin\Desktop\RTGS_Payment.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:2396
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2256
-
-
C:\Users\Admin\Desktop\RTGS_Payment.exe"C:\Users\Admin\Desktop\RTGS_Payment.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:4868
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im qasjajch.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3780
-
-
C:\Users\Admin\Desktop\RTGS_Payment.exe"C:\Users\Admin\Desktop\RTGS_Payment.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040
-
C:\Users\Admin\Desktop\RTGS_Payment.exe"C:\Users\Admin\Desktop\RTGS_Payment.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3668
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\Desktop\RTGS_Payment.exeRTGS_Payment.exe2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\3⤵PID:4752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im qasjajch.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qasjajch.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4428
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be