kutaki | 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

General

Target

73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe
Size

671KB
MD5

62aea7e47f647f9d6d2cdacb15e4b163
SHA1

884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256

73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512

59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012319-58.dat	family_kutaki
behavioral1/files/0x000a000000012319-61.dat	family_kutaki
behavioral1/files/0x000a000000012319-59.dat	family_kutaki
behavioral1/files/0x000a000000012319-66.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1420	lunlerio.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe

Loads dropped DLL 2 IoCs

pid	Process
1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe
1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	lunlerio.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	lunlerio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	lunlerio.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe
1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe
1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe
1420	lunlerio.exe
1420	lunlerio.exe
1420	lunlerio.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1904	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	28
PID 1764 wrote to memory of 1904	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	28
PID 1764 wrote to memory of 1904	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	28
PID 1764 wrote to memory of 1904	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	28
PID 1764 wrote to memory of 1420	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	30
PID 1764 wrote to memory of 1420	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	30
PID 1764 wrote to memory of 1420	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	30
PID 1764 wrote to memory of 1420	1764	73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe	30

C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe
"C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
671KB

MD5
62aea7e47f647f9d6d2cdacb15e4b163

SHA1
884550e92ac4ad9c24f3473d889b9247775f5ee5

SHA256
73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

SHA512
59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
517KB

MD5
75e7129e0849814fc51fdbf779a54798

SHA1
3ddf3158d67cf65ca8898bf865a65594fbca498d

SHA256
79040499fc3e0d1a832cd80d0a638866a26057e76235fa734a9b42fcc6d99f57

SHA512
608c95273e7d6497575521ee5fc91fd7940ffff9b74e8b59188eaf4a986a4703af82c0741bebf6a294978afd9ab82d06dbdec0f74d8db312989c9e1e6cfba02d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
671KB

MD5
62aea7e47f647f9d6d2cdacb15e4b163

SHA1
884550e92ac4ad9c24f3473d889b9247775f5ee5

SHA256
73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

SHA512
59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
671KB

MD5
62aea7e47f647f9d6d2cdacb15e4b163

SHA1
884550e92ac4ad9c24f3473d889b9247775f5ee5

SHA256
73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

SHA512
59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Download Submit
memory/1420-65-0x0000000003B11000-0x00000000049BD000-memory.dmp

Filesize
14.7MB

Download
memory/1764-56-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing