Overview

overview

10

Static

static

PRODUCT SA...DF.scr

windows7_x64

10

PRODUCT SA...DF.scr

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-04-2021 05:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PRODUCT SAMPLE & ORDER SHEET.PDF.scr

  • Size

    488KB

  • MD5

    85f51ff6bd810b0122a2c38eef70fa06

  • SHA1

    aa49ffa7db0c118b644b62d75a0cc27b62a680aa

  • SHA256

    6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

  • SHA512

    e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

Score
10/10
kutakikeyloggerstealer

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

    stealerkeyloggerkutaki
  • Kutaki Executable 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PRODUCT SAMPLE & ORDER SHEET.PDF.scr
    "C:\Users\Admin\AppData\Local\Temp\PRODUCT SAMPLE & ORDER SHEET.PDF.scr" /S
    1⤵
    • Drops startup file
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\images.jpg
      2⤵
        PID:1280
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsslvych.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsslvych.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2020

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsslvych.exe
      MD5

      85f51ff6bd810b0122a2c38eef70fa06

      SHA1

      aa49ffa7db0c118b644b62d75a0cc27b62a680aa

      SHA256

      6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

      SHA512

      e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsslvych.exe
      MD5

      85f51ff6bd810b0122a2c38eef70fa06

      SHA1

      aa49ffa7db0c118b644b62d75a0cc27b62a680aa

      SHA256

      6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

      SHA512

      e20cc0744e2d3378958990e27ce59f25787f3133a67e4f0d21d63d7da1fc56ef9b2a297303f723a9408f24d3321931a45ecfcc70d6a19b954eab04602c3f4698

      Download Submit
    • memory/1280-116-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-117-0x0000000000000000-mapping.dmp
      Download