Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2023 09:48
Behavioral task
behavioral1
Sample
HDFC_RTGS.exe
Resource
win7-20231023-en
General
-
Target
HDFC_RTGS.exe
-
Size
1.5MB
-
MD5
30adcb75b8ce11e32915d329f4292854
-
SHA1
cda01ae84ef0b9688f8911de661f1adec108a73b
-
SHA256
8de3fb617df36b4e33432d30ea4fc626c968421d594b0b5102f8d9b1fbb8fbdf
-
SHA512
d7d21d2a64719ac10e8818b2b775caa83a56e11e198cc60b28036a5631d7121b8d2dc777893d862a47caccee006ccb014e2f810229cf1b36d6492da9e2b031ef
-
SSDEEP
24576:XMjlxu1t+S0kLaSW/u/a+DzovnwNnxV/gb7e2AsvwbR281z+zfmP/UDMS08Ckn30:ulAR0kL1t8nO/CAsn81z+zfmP/SA8NE
Malware Config
Extracted
kutaki
http://ojorobia.club/laptop/laptop.php
http://terebinnahicc.club/sec/kool.txt
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x0006000000022e40-5.dat family_kutaki behavioral2/files/0x0006000000022e40-6.dat family_kutaki -
Drops startup file 2 IoCs
Processes:
HDFC_RTGS.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe HDFC_RTGS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe HDFC_RTGS.exe -
Executes dropped EXE 1 IoCs
Processes:
vgklugch.exepid Process 2056 vgklugch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
HDFC_RTGS.exevgklugch.exepid Process 1944 HDFC_RTGS.exe 1944 HDFC_RTGS.exe 1944 HDFC_RTGS.exe 2056 vgklugch.exe 2056 vgklugch.exe 2056 vgklugch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HDFC_RTGS.exedescription pid Process procid_target PID 1944 wrote to memory of 1904 1944 HDFC_RTGS.exe 91 PID 1944 wrote to memory of 1904 1944 HDFC_RTGS.exe 91 PID 1944 wrote to memory of 1904 1944 HDFC_RTGS.exe 91 PID 1944 wrote to memory of 2056 1944 HDFC_RTGS.exe 93 PID 1944 wrote to memory of 2056 1944 HDFC_RTGS.exe 93 PID 1944 wrote to memory of 2056 1944 HDFC_RTGS.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\HDFC_RTGS.exe"C:\Users\Admin\AppData\Local\Temp\HDFC_RTGS.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:1904
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD530adcb75b8ce11e32915d329f4292854
SHA1cda01ae84ef0b9688f8911de661f1adec108a73b
SHA2568de3fb617df36b4e33432d30ea4fc626c968421d594b0b5102f8d9b1fbb8fbdf
SHA512d7d21d2a64719ac10e8818b2b775caa83a56e11e198cc60b28036a5631d7121b8d2dc777893d862a47caccee006ccb014e2f810229cf1b36d6492da9e2b031ef
-
Filesize
1.5MB
MD530adcb75b8ce11e32915d329f4292854
SHA1cda01ae84ef0b9688f8911de661f1adec108a73b
SHA2568de3fb617df36b4e33432d30ea4fc626c968421d594b0b5102f8d9b1fbb8fbdf
SHA512d7d21d2a64719ac10e8818b2b775caa83a56e11e198cc60b28036a5631d7121b8d2dc777893d862a47caccee006ccb014e2f810229cf1b36d6492da9e2b031ef