Analysis

  • max time kernel
    138s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    04-01-2022 04:28

General

  • Target

    404.htm

  • Size

    203B

  • MD5

    c227967ce790fe9a246024e9734e1082

  • SHA1

    a406419bb40edb2932553f7bdf88498c82adbbd7

  • SHA256

    cc3aa328b29867e053ff7bf5e4d4ca84034f679ce19f5488c2d7f0d6052b214a

  • SHA512

    c2842d969b00bb92b02c14120bd1266cbdab500d6515a957532282576ff4739b40ad081177310f9e7d5ad3cf3398930d247841b6706e30ab6e8659e886902883

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Kutaki Executable 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\404.htm
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:580
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:884
    • C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\image.exe"
      1⤵
      • Drops startup file
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
        2⤵
          PID:1828
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3588

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6VZI9KRM\Tax Payment Challan.zip.7ti31w6.partial

        MD5

        12bd7557bb598976e2b6fd37252967ba

        SHA1

        c7240568595c37d11270ea8f3ae8d2a525987191

        SHA256

        69e098c97202d350e9ea0268520999f0544936d28596a1a2c6fbe74b3d3b45b4

        SHA512

        16a02481aa622828877660113ca473d762204729276441949e01cd4f579ecbafcaae0ad2d91ceb22fe571dd9f43e89df0678a98a8f0d35753f4cf60edf099f8c

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LXHW3R39.cookie

        MD5

        9067728afb7344e3e7958b644b037f4e

        SHA1

        faf0157fe97f2440126c21729e18cb1cf1f6c5bb

        SHA256

        f18291258b4f453039dade7af3cd6741164047ded52ba76eef4e99a4f3613843

        SHA512

        93dc1838c4535a33c60d06920bab7273fb1ee9f7f0bceb846d87b7f5fb2129cd7725de5bf3ebe7e701c6d350746fbab589864e227cbb37418ef0af436e7329da

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe

        MD5

        ceb4610a2e6bc8ffc049d43df625c4c3

        SHA1

        cc9f8b871c8edf18ebdc654ba64e9a90257445d8

        SHA256

        ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098

        SHA512

        c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nrxinrch.exe

        MD5

        ceb4610a2e6bc8ffc049d43df625c4c3

        SHA1

        cc9f8b871c8edf18ebdc654ba64e9a90257445d8

        SHA256

        ee4ab2d7101d0ba8f68faec3883744d8035eec005c17fc355e00e612eb424098

        SHA512

        c0fad261493e8bb71a813c830212e06384d7b114ff4fcce1228b18b4e5823ba76423fd05800f3f1997940ae6a00b1f3d32cce08c6e2904b029f3feff5f7c9347

      • memory/580-141-0x0000000000000000-mapping.dmp

      • memory/1828-215-0x0000000000000000-mapping.dmp

      • memory/2408-146-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-151-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-125-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-123-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-127-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-128-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-129-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-131-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-132-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-134-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-135-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-137-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-136-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-138-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-140-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-122-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-143-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-145-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-115-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-148-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-150-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-124-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-152-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-156-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-157-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-158-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-164-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-165-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-166-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-167-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-168-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-169-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-173-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-174-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-175-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-177-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-178-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-121-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-120-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-119-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-117-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/2408-116-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

        Filesize

        428KB

      • memory/3588-216-0x0000000000000000-mapping.dmp