kutaki | 7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

Analysis

max time kernel
149s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
24/05/2022, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
Size

616KB
MD5

02fb4ae633b32d995eb743f05c809a11
SHA1

2a0b7f69b70951de4070efaaa372eba24ba039ef
SHA256

7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969
SHA512

80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x0005000000004ed7-61.dat	family_kutaki
behavioral1/files/0x0005000000004ed7-59.dat	family_kutaki
behavioral1/files/0x0005000000004ed7-58.dat	family_kutaki
behavioral1/files/0x0005000000004ed7-69.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1596	pnejwech.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe

Loads dropped DLL 2 IoCs

pid	Process
1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	pnejwech.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe
1596	pnejwech.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1660	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	27
PID 1768 wrote to memory of 1660	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	27
PID 1768 wrote to memory of 1660	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	27
PID 1768 wrote to memory of 1660	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	27
PID 1768 wrote to memory of 1596	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	29
PID 1768 wrote to memory of 1596	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	29
PID 1768 wrote to memory of 1596	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	29
PID 1768 wrote to memory of 1596	1768	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	29

C:\Users\Admin\AppData\Local\Temp\7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
"C:\Users\Admin\AppData\Local\Temp\7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe

Filesize
616KB

MD5
02fb4ae633b32d995eb743f05c809a11

SHA1
2a0b7f69b70951de4070efaaa372eba24ba039ef

SHA256
7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

SHA512
80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe

Filesize
616KB

MD5
02fb4ae633b32d995eb743f05c809a11

SHA1
2a0b7f69b70951de4070efaaa372eba24ba039ef

SHA256
7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

SHA512
80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe

Filesize
616KB

MD5
02fb4ae633b32d995eb743f05c809a11

SHA1
2a0b7f69b70951de4070efaaa372eba24ba039ef

SHA256
7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

SHA512
80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnejwech.exe

Filesize
616KB

MD5
02fb4ae633b32d995eb743f05c809a11

SHA1
2a0b7f69b70951de4070efaaa372eba24ba039ef

SHA256
7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

SHA512
80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Download Submit
memory/1596-65-0x0000000003F31000-0x0000000004DDD000-memory.dmp

Filesize
14.7MB

Download
memory/1596-66-0x0000000003EE0000-0x0000000003EEB000-memory.dmp

Filesize
44KB

Download
memory/1768-56-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download