kutaki | 614b1804f29b1fd1aaaf62dd34c9a731bd43d68f47407e0ca2aec09a246e4101

Analysis

max time kernel
124s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21/05/2022, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

image.exe
Size

504KB
MD5

8386b787dfff37c3e7bcdcc03a0a7487
SHA1

c20d9e818f912fc4f47ed1e85718c6196b911801
SHA256

25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85
SHA512

aace70e1d3bd221fffdcfe8649df4e47807b5f2679032866acf31b41814623eab85b6930bb9e79c11d4f48edfb5670d9d9a98941106c06c67cd9bd22f5c64bd0

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022ebb-134.dat	family_kutaki
behavioral2/files/0x0006000000022ebb-135.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4672	lpjnoxch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpjnoxch.exe	image.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpjnoxch.exe	image.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5100	image.exe
5100	image.exe
5100	image.exe
4672	lpjnoxch.exe
4672	lpjnoxch.exe
4672	lpjnoxch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4784	5100	image.exe	81
PID 5100 wrote to memory of 4784	5100	image.exe	81
PID 5100 wrote to memory of 4784	5100	image.exe	81
PID 5100 wrote to memory of 4672	5100	image.exe	83
PID 5100 wrote to memory of 4672	5100	image.exe	83
PID 5100 wrote to memory of 4672	5100	image.exe	83

C:\Users\Admin\AppData\Local\Temp\image.exe
"C:\Users\Admin\AppData\Local\Temp\image.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpjnoxch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpjnoxch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpjnoxch.exe

Filesize
504KB

MD5
8386b787dfff37c3e7bcdcc03a0a7487

SHA1
c20d9e818f912fc4f47ed1e85718c6196b911801

SHA256
25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

SHA512
aace70e1d3bd221fffdcfe8649df4e47807b5f2679032866acf31b41814623eab85b6930bb9e79c11d4f48edfb5670d9d9a98941106c06c67cd9bd22f5c64bd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpjnoxch.exe

Filesize
504KB

MD5
8386b787dfff37c3e7bcdcc03a0a7487

SHA1
c20d9e818f912fc4f47ed1e85718c6196b911801

SHA256
25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

SHA512
aace70e1d3bd221fffdcfe8649df4e47807b5f2679032866acf31b41814623eab85b6930bb9e79c11d4f48edfb5670d9d9a98941106c06c67cd9bd22f5c64bd0

Download Submit