kutaki | 614b1804f29b1fd1aaaf62dd34c9a731bd43d68f47407e0ca2aec09a246e4101

Analysis

max time kernel
62s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
21/05/2022, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

image.exe
Size

504KB
MD5

8386b787dfff37c3e7bcdcc03a0a7487
SHA1

c20d9e818f912fc4f47ed1e85718c6196b911801
SHA256

25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85
SHA512

aace70e1d3bd221fffdcfe8649df4e47807b5f2679032866acf31b41814623eab85b6930bb9e79c11d4f48edfb5670d9d9a98941106c06c67cd9bd22f5c64bd0

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001232e-59.dat	family_kutaki
behavioral1/files/0x000b00000001232e-61.dat	family_kutaki
behavioral1/files/0x000b00000001232e-58.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
2036	sdookich.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdookich.exe	image.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdookich.exe	image.exe

Loads dropped DLL 2 IoCs

pid	Process
1040	image.exe
1040	image.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1040	image.exe
1040	image.exe
1040	image.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe
2036	sdookich.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1996	1040	image.exe	28
PID 1040 wrote to memory of 1996	1040	image.exe	28
PID 1040 wrote to memory of 1996	1040	image.exe	28
PID 1040 wrote to memory of 1996	1040	image.exe	28
PID 1040 wrote to memory of 2036	1040	image.exe	30
PID 1040 wrote to memory of 2036	1040	image.exe	30
PID 1040 wrote to memory of 2036	1040	image.exe	30
PID 1040 wrote to memory of 2036	1040	image.exe	30

C:\Users\Admin\AppData\Local\Temp\image.exe
"C:\Users\Admin\AppData\Local\Temp\image.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdookich.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdookich.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdookich.exe

Filesize
504KB

MD5
8386b787dfff37c3e7bcdcc03a0a7487

SHA1
c20d9e818f912fc4f47ed1e85718c6196b911801

SHA256
25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

SHA512
aace70e1d3bd221fffdcfe8649df4e47807b5f2679032866acf31b41814623eab85b6930bb9e79c11d4f48edfb5670d9d9a98941106c06c67cd9bd22f5c64bd0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdookich.exe

Filesize
504KB

MD5
8386b787dfff37c3e7bcdcc03a0a7487

SHA1
c20d9e818f912fc4f47ed1e85718c6196b911801

SHA256
25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

SHA512
aace70e1d3bd221fffdcfe8649df4e47807b5f2679032866acf31b41814623eab85b6930bb9e79c11d4f48edfb5670d9d9a98941106c06c67cd9bd22f5c64bd0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdookich.exe

Filesize
504KB

MD5
8386b787dfff37c3e7bcdcc03a0a7487

SHA1
c20d9e818f912fc4f47ed1e85718c6196b911801

SHA256
25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

SHA512
aace70e1d3bd221fffdcfe8649df4e47807b5f2679032866acf31b41814623eab85b6930bb9e79c11d4f48edfb5670d9d9a98941106c06c67cd9bd22f5c64bd0

Download Submit
memory/1040-56-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download