kutaki | b761256b5f20918c970f0d64b939e86d8304141b04e9024a809996da04d46c5e

General

Target

image.exe
Size

516KB
MD5

e60ded83982043932447eba0a568273c
SHA1

835cfdbebbbcd44985572d5690d3dbcd8f041bbc
SHA256

6dd4d7a668ac56bb6e71090d32a522e77c885e540758ed08ac03d702b02f26dd
SHA512

b4055f3994ea402eb81a8b7d5824e6d778c4335f99fcef8625fa8166eb9ea55bc2398e137695a4b21efed5711e7acd5a7f2e36fe1179b221abb71807b8bb729c

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000900000001ab57-120.dat	family_kutaki
behavioral2/files/0x000900000001ab57-121.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
2244	bondejch.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bondejch.exe	image.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bondejch.exe	image.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
728	mspaint.exe
728	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2620	image.exe
2620	image.exe
2620	image.exe
728	mspaint.exe
2244	bondejch.exe
2244	bondejch.exe
2244	bondejch.exe
728	mspaint.exe
728	mspaint.exe
728	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 512	2620	image.exe	69
PID 2620 wrote to memory of 512	2620	image.exe	69
PID 2620 wrote to memory of 512	2620	image.exe	69
PID 512 wrote to memory of 728	512	cmd.exe	71
PID 512 wrote to memory of 728	512	cmd.exe	71
PID 512 wrote to memory of 728	512	cmd.exe	71
PID 2620 wrote to memory of 2244	2620	image.exe	73
PID 2620 wrote to memory of 2244	2620	image.exe	73
PID 2620 wrote to memory of 2244	2620	image.exe	73

C:\Users\Admin\AppData\Local\Temp\image.exe
"C:\Users\Admin\AppData\Local\Temp\image.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bondejch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bondejch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2244

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads