kutaki | 73733257bc449d4fed5bd3ffb494a0ce11c6c8c68b58b464761d194bc24ff29b

General

Target

tracking details.exe
Size

752KB
MD5

3c35fca6cb231d20cc04e6d8b2601010
SHA1

aecde409a20bdaa63be0570d5625938e7df50197
SHA256

e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
SHA512

0b7e2604adf2d89ef471336f8dd322c9f8b222e404aa68fbf67a13ced6ec0eb0a8c9968cb92401b44d2d4d1a1e53e51e7d8840f74ee4baec3f1d4b05d76d1d77

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x002100000001da68-132.dat	family_kutaki
behavioral2/files/0x002100000001da68-133.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
3868	jbwsmoch.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbwsmoch.exe	tracking details.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbwsmoch.exe	tracking details.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3532	svchost.exe
Token: SeCreatePagefilePrivilege	3532	svchost.exe
Token: SeShutdownPrivilege	3532	svchost.exe
Token: SeCreatePagefilePrivilege	3532	svchost.exe
Token: SeShutdownPrivilege	3532	svchost.exe
Token: SeCreatePagefilePrivilege	3532	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1900	tracking details.exe
1900	tracking details.exe
1900	tracking details.exe
3868	jbwsmoch.exe
3868	jbwsmoch.exe
3868	jbwsmoch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4032	1900	tracking details.exe	83
PID 1900 wrote to memory of 4032	1900	tracking details.exe	83
PID 1900 wrote to memory of 4032	1900	tracking details.exe	83
PID 1900 wrote to memory of 3868	1900	tracking details.exe	85
PID 1900 wrote to memory of 3868	1900	tracking details.exe	85
PID 1900 wrote to memory of 3868	1900	tracking details.exe	85

C:\Users\Admin\AppData\Local\Temp\tracking details.exe
"C:\Users\Admin\AppData\Local\Temp\tracking details.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbwsmoch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbwsmoch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3532-136-0x000001D658D60000-0x000001D658D70000-memory.dmp

Filesize
64KB

Download
memory/3532-137-0x000001D659320000-0x000001D659330000-memory.dmp

Filesize
64KB

Download
memory/3532-138-0x000001D65B990000-0x000001D65B994000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing