kutaki | 6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

General

Target

PRODUCT SAMPLE & ORDER SHEET.PDF.scr
Size

488KB
MD5

85f51ff6bd810b0122a2c38eef70fa06
SHA1

aa49ffa7db0c118b644b62d75a0cc27b62a680aa
SHA256

6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd
SHA512

e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x00070000000130dc-70.dat	family_kutaki
behavioral1/files/0x00070000000130dc-71.dat	family_kutaki
behavioral1/files/0x00070000000130dc-73.dat	family_kutaki
behavioral1/files/0x00070000000130dc-78.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
628	gndnlnch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe	PRODUCT SAMPLE & ORDER SHEET.PDF.scr

Loads dropped DLL 2 IoCs

pid	Process
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	gndnlnch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1352	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr
628	gndnlnch.exe
628	gndnlnch.exe
628	gndnlnch.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	27
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	27
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	27
PID 1736 wrote to memory of 1964	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	27
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	33
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	33
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	33
PID 1736 wrote to memory of 628	1736	PRODUCT SAMPLE & ORDER SHEET.PDF.scr	33

C:\Users\Admin\AppData\Local\Temp\PRODUCT SAMPLE & ORDER SHEET.PDF.scr
"C:\Users\Admin\AppData\Local\Temp\PRODUCT SAMPLE & ORDER SHEET.PDF.scr" /S
1⤵
- Drops startup file
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\images.jpg
  2⤵
  PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gndnlnch.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:628

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-67-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1352-68-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1736-62-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download
memory/1964-66-0x0000000002010000-0x0000000002012000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing