Analysis

  • max time kernel
    82s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    05-08-2020 08:25

General

  • Target

    New Order.scr

  • Size

    632KB

  • MD5

    5cd9d49f5cad5e0910e90ce8183b4366

  • SHA1

    c457eb69ef65e0c02c330f5f2fb0e6e47b8d6a7b

  • SHA256

    1de49d29d2f5c485ef935ce6f50176272745d32d258f5996f029f4e78a614af7

  • SHA512

    87a5aff468b8243e4d542dc6fd639bcf4c3e5b54b9d17c27b4605c9fdafb045a078653d049c96ef3bbfcfdf7feef7f58033da85be98d76c621c3fe5ab13cf65d

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Kutaki Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetWindowsHookEx 1052 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.scr
    "C:\Users\Admin\AppData\Local\Temp\New Order.scr" /S
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:1072
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1680

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads