Analysis
-
max time kernel
132s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-12-2021 08:55
General
-
Target
image.exe
-
Size
516KB
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
-
SHA1
0b41411bd1f52c115d77fc44815beed1b3cb749c
-
SHA256
d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
-
SHA512
9104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
Score
10/10
Malware Config
Signatures
-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Kutaki Executable 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵