Malware Analysis Report

2024-11-30 11:27

Sample ID 220329-yrjr2safa8
Target 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA256 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
Tags
kutaki keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

Threat Level: Known bad

The file 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a was found to be: Known bad.

Malicious Activity Summary

kutaki keylogger stealer

Kutaki Executable

Kutaki family

Kutaki

Executes dropped EXE

Drops startup file

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-29 20:01

Signatures

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kutaki family

kutaki

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-29 20:01

Reported

2022-03-31 20:54

Platform

win10v2004-en-20220113

Max time kernel

132s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe"

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe

"C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe"

Network

Files

memory/2972-132-0x0000000000000000-mapping.dmp

memory/4892-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe

MD5 89070447b67e5906a567c61c88024e9c
SHA1 1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5
SHA256 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA512 2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe

MD5 89070447b67e5906a567c61c88024e9c
SHA1 1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5
SHA256 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA512 2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-29 20:01

Reported

2022-03-31 20:54

Platform

win7-20220331-en

Max time kernel

2s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe"

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe
PID 1400 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe
PID 1400 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe
PID 1400 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

Processes

C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe

"C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe"

Network

N/A

Files

memory/1400-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1748-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

MD5 89070447b67e5906a567c61c88024e9c
SHA1 1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5
SHA256 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA512 2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

memory/1744-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

MD5 89070447b67e5906a567c61c88024e9c
SHA1 1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5
SHA256 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA512 2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

MD5 89070447b67e5906a567c61c88024e9c
SHA1 1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5
SHA256 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA512 2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8