Overview
overview
10Static
static
10076be2c09b...29.exe
windows11-21h2-x64
100fd2b5dba8...d1.exe
windows11-21h2-x64
10131d6fb920...b1.exe
windows11-21h2-x64
101c133b9bb4...fd.exe
windows11-21h2-x64
1030af8d3ec6...30.exe
windows11-21h2-x64
1041c9d28653...f5.exe
windows11-21h2-x64
105a0daa24b5...1f.exe
windows11-21h2-x64
630efa1e2d...ad.exe
windows11-21h2-x64
10651bc82076...73.exe
windows11-21h2-x64
677bea9e71...58.exe
windows11-21h2-x64
107afefba65e...bb.exe
windows11-21h2-x64
3817c226e42...db.dll
windows11-21h2-x64
8a925fc1289...42.exe
windows11-21h2-x64
7b1c5fd5c0f...ae.exe
windows11-21h2-x64
10f2923f695d...7d.msi
windows11-21h2-x64
10f58d2071a2...e1.exe
windows11-21h2-x64
7Analysis
-
max time kernel
600s -
max time network
455s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-12-2023 01:43
Behavioral task
behavioral1
Sample
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29.exe
Resource
win11-20231215-en
Behavioral task
behavioral2
Sample
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
Resource
win11-20231215-en
Behavioral task
behavioral3
Sample
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Resource
win11-20231215-en
Behavioral task
behavioral4
Sample
1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd.exe
Resource
win11-20231215-en
Behavioral task
behavioral5
Sample
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030.exe
Resource
win11-20231215-en
Behavioral task
behavioral6
Sample
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
Resource
win11-20231215-en
Behavioral task
behavioral7
Sample
5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f.exe
Resource
win11-20231215-en
Behavioral task
behavioral8
Sample
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Resource
win11-20231215-en
Behavioral task
behavioral9
Sample
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673.exe
Resource
win11-20231215-en
Behavioral task
behavioral10
Sample
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58.exe
Resource
win11-20231215-en
Behavioral task
behavioral11
Sample
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb.exe
Resource
win11-20231215-en
Behavioral task
behavioral12
Sample
817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db.dll
Resource
win11-20231215-en
Behavioral task
behavioral13
Sample
a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142.exe
Resource
win11-20231215-en
Behavioral task
behavioral14
Sample
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
Resource
win11-20231215-en
Behavioral task
behavioral15
Sample
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.msi
Resource
win11-20231215-en
Behavioral task
behavioral16
Sample
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
Resource
win11-20231215-en
General
-
Target
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
-
Size
815KB
-
MD5
706368098593b234bde3727366651281
-
SHA1
81a56cd69bf00ec1fd79543423c59d5ce16c1a45
-
SHA256
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5
-
SHA512
b1ba031351ec99df11f511ede7257ee4aa9b43472532d1d3e6ff36101b7f489a11fa356421759d08a83f663877b09029f15ccce25501e51e489429a1f0aece60
-
SSDEEP
24576:em8RI+emRlQIjDlzzTlQ8LmcEd40X0zjnXU9PR1t7drlSpnHuGE5:bzghxO
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
resource yara_rule behavioral6/files/0x000200000002a7ad-6.dat family_kutaki behavioral6/files/0x000200000002a7ad-5.dat family_kutaki -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe -
Executes dropped EXE 1 IoCs
pid Process 2496 biyorpch.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum biyorpch.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 biyorpch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 2496 biyorpch.exe 2496 biyorpch.exe 2496 biyorpch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2692 wrote to memory of 248 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 81 PID 2692 wrote to memory of 248 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 81 PID 2692 wrote to memory of 248 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 81 PID 2692 wrote to memory of 2496 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 83 PID 2692 wrote to memory of 2496 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 83 PID 2692 wrote to memory of 2496 2692 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe"C:\Users\Admin\AppData\Local\Temp\41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:248
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
562KB
MD50e299e6aece469a2c6632a7f85d9fae5
SHA1c2f16d8a75e6e13cb0ed57b66d5ebc0c5a190b28
SHA2567195a5cba81a019e1b1b0f069015ce899bb80f0cc93ff48b48389502930c5a75
SHA51296ec69fb04b885b0ae053414c44ca39671f2e363c74028bb95b4cccb380494c07f8e39eca2e7f79f2e4d6f5623b96b8c056480555ae945c586e1af76064314d4
-
Filesize
632KB
MD555102b8289474a99a4690407515ae38a
SHA1ba36ded2bbda34bae82a9c1afe95d8d4478f1f94
SHA256ec866c14412b036c8e915db7e3767cc17d11d67bafcaf03eeb1f0c867cd83569
SHA512f528abb11e6f375deb853378086878569d1d58dc12734316a3e49a3bc24fec524756c55f7040411dd8678237ab7d55dc9c1b911095009455095f55507da9ab33