kutaki | 6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

General

Target

PRODUCT SAMPLE & ORDER SHEET.PDF.scr
Size

488KB
MD5

85f51ff6bd810b0122a2c38eef70fa06
SHA1

aa49ffa7db0c118b644b62d75a0cc27b62a680aa
SHA256

6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd
SHA512

e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	family_kutaki
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	family_kutaki

Executes dropped EXE 1 IoCs

Processes:

gndnlnch.exe

pid process

628 gndnlnch.exe

pid	process
628	gndnlnch.exe

Drops startup file 2 IoCs

Processes:

PRODUCT SAMPLE & ORDER SHEET.PDF.scr

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	PRODUCT SAMPLE & ORDER SHEET.PDF.scr

Loads dropped DLL 2 IoCs

Processes:

PRODUCT SAMPLE & ORDER SHEET.PDF.scr

pid process

1736 PRODUCT SAMPLE & ORDER SHEET.PDF.scr
1736 PRODUCT SAMPLE & ORDER SHEET.PDF.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

PRODUCT SAMPLE & ORDER SHEET.PDF.scrgndnlnch.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	gndnlnch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1352 DllHost.exe

pid	process
1352	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

PRODUCT SAMPLE & ORDER SHEET.PDF.scrgndnlnch.exe

pid	process
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
628	gndnlnch.exe
628	gndnlnch.exe
628	gndnlnch.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PRODUCT SAMPLE & ORDER SHEET.PDF.scr

description	pid	process	target process
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	cmd.exe
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	cmd.exe
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	cmd.exe
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	cmd.exe
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	gndnlnch.exe
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	gndnlnch.exe
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	gndnlnch.exe
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	gndnlnch.exe

C:\Users\Admin\AppData\Local\Temp\PRODUCT SAMPLE & ORDER SHEET.PDF.scr
"C:\Users\Admin\AppData\Local\Temp\PRODUCT SAMPLE & ORDER SHEET.PDF.scr" /S
1⤵
- Drops startup file
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\images.jpg
  2⤵
  PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:628

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\images.jpg

MD5
ba87f0b37df02b7c724c8d68ec05a7e4

SHA1
e9b010344ba106a56a0036e9cf661f6021c397b6

SHA256
08ff2712bc0f924da12d5eb3041a595db0f22be7375d55b3355b1c89bd97f148

SHA512
75985210c6dece9898d3420e7db44105b0bd6f50832ab33d9f0aabc3de672db4be30b1091f9b5184054b9d568bde4aea73e2913b329b2471ddf485e7d75a05c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe

MD5
85f51ff6bd810b0122a2c38eef70fa06

SHA1
aa49ffa7db0c118b644b62d75a0cc27b62a680aa

SHA256
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

SHA512
e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe

MD5
85f51ff6bd810b0122a2c38eef70fa06

SHA1
aa49ffa7db0c118b644b62d75a0cc27b62a680aa

SHA256
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

SHA512
e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe

MD5
85f51ff6bd810b0122a2c38eef70fa06

SHA1
aa49ffa7db0c118b644b62d75a0cc27b62a680aa

SHA256
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

SHA512
e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe

MD5
85f51ff6bd810b0122a2c38eef70fa06

SHA1
aa49ffa7db0c118b644b62d75a0cc27b62a680aa

SHA256
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

SHA512
e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

Download Submit
memory/628-72-0x0000000000000000-mapping.dmp

Download
memory/1352-67-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1352-68-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1736-62-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download
memory/1964-63-0x0000000000000000-mapping.dmp

Download
memory/1964-66-0x0000000002010000-0x0000000002012000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads