Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    04-01-2022 04:28

General

  • Target

    404.htm

  • Size

    203B

  • MD5

    c227967ce790fe9a246024e9734e1082

  • SHA1

    a406419bb40edb2932553f7bdf88498c82adbbd7

  • SHA256

    cc3aa328b29867e053ff7bf5e4d4ca84034f679ce19f5488c2d7f0d6052b214a

  • SHA512

    c2842d969b00bb92b02c14120bd1266cbdab500d6515a957532282576ff4739b40ad081177310f9e7d5ad3cf3398930d247841b6706e30ab6e8659e886902883

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Kutaki Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\404.htm
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1092
  • C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:564
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1640

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VSJJWE3\Tax Payment Challan.zip.eyabtkq.partial

      MD5

      12bd7557bb598976e2b6fd37252967ba

      SHA1

      c7240568595c37d11270ea8f3ae8d2a525987191

      SHA256

      69e098c97202d350e9ea0268520999f0544936d28596a1a2c6fbe74b3d3b45b4

      SHA512

      16a02481aa622828877660113ca473d762204729276441949e01cd4f579ecbafcaae0ad2d91ceb22fe571dd9f43e89df0678a98a8f0d35753f4cf60edf099f8c

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YT64D050.txt

      MD5

      05b2d35d2f23656193e698ad9cf4f043

      SHA1

      cf781a12e9c6fda8a638f568b1a8650c711c5643

      SHA256

      d3969411bb43a232dae2af2a8c1e494d0b97e9a1f03684144802031da5e6d91d

      SHA512

      f5088a63325c2e649f31c8d46e7523c71be7db38b6fcf5831aa93fed206b8c5802b6a200c0857cc2d7e4a9b98dfe88c4f832c3ce3098baea4f832a7427de3ddd

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

      MD5

      ceb4610a2e6bc8ffc049d43df625c4c3

      SHA1

      cc9f8b871c8edf18ebdc654ba64e9a90257445d8

      SHA256

      ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098

      SHA512

      c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

      MD5

      ceb4610a2e6bc8ffc049d43df625c4c3

      SHA1

      cc9f8b871c8edf18ebdc654ba64e9a90257445d8

      SHA256

      ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098

      SHA512

      c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyymfach.exe

      MD5

      ceb4610a2e6bc8ffc049d43df625c4c3

      SHA1

      cc9f8b871c8edf18ebdc654ba64e9a90257445d8

      SHA256

      ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098

      SHA512

      c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

    • memory/564-61-0x0000000000000000-mapping.dmp

    • memory/600-55-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

      Filesize

      4KB

    • memory/1092-54-0x0000000000000000-mapping.dmp

    • memory/1564-60-0x0000000076151000-0x0000000076153000-memory.dmp

      Filesize

      8KB

    • memory/1564-59-0x0000000000220000-0x000000000022A000-memory.dmp

      Filesize

      40KB

    • memory/1564-58-0x0000000000220000-0x0000000000226000-memory.dmp

      Filesize

      24KB

    • memory/1640-64-0x0000000000000000-mapping.dmp

    • memory/1640-66-0x00000000001C0000-0x00000000001C6000-memory.dmp

      Filesize

      24KB

    • memory/1640-67-0x00000000001C0000-0x00000000001CA000-memory.dmp

      Filesize

      40KB