Malware Analysis Report

2024-11-30 11:24

Sample ID 220523-3rsr6shhb9
Target 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
Tags
kutaki keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

Threat Level: Known bad

The file 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3 was found to be: Known bad.

Malicious Activity Summary

kutaki keylogger stealer

Kutaki family

Kutaki Executable

Kutaki

Executes dropped EXE

Drops startup file

Loads dropped DLL

Maps connected drives based on registry

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 23:45

Signatures

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kutaki family

kutaki

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 23:45

Reported

2022-05-23 23:48

Platform

win7-20220414-en

Max time kernel

151s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe"

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe
PID 1764 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe
PID 1764 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe
PID 1764 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe

"C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"

Network

N/A

Files

memory/1764-56-0x0000000074F91000-0x0000000074F93000-memory.dmp

memory/1904-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

memory/1420-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

memory/1420-65-0x0000000003B11000-0x00000000049BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 75e7129e0849814fc51fdbf779a54798
SHA1 3ddf3158d67cf65ca8898bf865a65594fbca498d
SHA256 79040499fc3e0d1a832cd80d0a638866a26057e76235fa734a9b42fcc6d99f57
SHA512 608c95273e7d6497575521ee5fc91fd7940ffff9b74e8b59188eaf4a986a4703af82c0741bebf6a294978afd9ab82d06dbdec0f74d8db312989c9e1e6cfba02d

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 23:45

Reported

2022-05-23 23:48

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe"

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe

"C:\Users\Admin\AppData\Local\Temp\73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"

Network

Country Destination Domain Proto
US 8.253.208.112:80 tcp
BE 67.24.35.254:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp

Files

memory/880-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

memory/4380-133-0x0000000000000000-mapping.dmp