Overview

overview

10

Static

static

10

image.exe

windows7_x64

10

image.exe

windows10_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    29/12/2021, 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    image.exe

  • Size

    516KB

  • MD5

    c43b7d74eef3fa1c025f08939e9d4be2

  • SHA1

    0b41411bd1f52c115d77fc44815beed1b3cb749c

  • SHA256

    d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625

  • SHA512

    9104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d

Score
10/10
kutakikeyloggerstealer

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

    stealerkeyloggerkutaki
  • Kutaki Executable 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\image.exe
    "C:\Users\Admin\AppData\Local\Temp\image.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
      2⤵
        PID:1624
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vzfuwech.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vzfuwech.exe"
        2⤵
        • Executes dropped EXE
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1732
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2000

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/288-55-0x0000000000220000-0x000000000022A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/288-56-0x0000000076041000-0x0000000076043000-memory.dmp

      Filesize

      8KB

      Download

    • memory/288-54-0x0000000000220000-0x0000000000226000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1624-67-0x0000000002010000-0x0000000002012000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1732-64-0x00000000001B0000-0x00000000001BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1732-70-0x0000000003EC1000-0x0000000004D6D000-memory.dmp

      Filesize

      14.7MB

      Download

    • memory/1732-63-0x00000000001B0000-0x00000000001B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2000-68-0x0000000000220000-0x0000000000222000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2000-69-0x0000000000770000-0x0000000000771000-memory.dmp

      Filesize

      4KB

      Download