kutaki | 7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

General

Target

7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
Size

616KB
MD5

02fb4ae633b32d995eb743f05c809a11
SHA1

2a0b7f69b70951de4070efaaa372eba24ba039ef
SHA256

7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969
SHA512

80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x001300000001da39-134.dat	family_kutaki
behavioral2/files/0x001300000001da39-135.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4708	adnvdjch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adnvdjch.exe	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adnvdjch.exe	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
4708	adnvdjch.exe
4708	adnvdjch.exe
4708	adnvdjch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 312	1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	79
PID 1620 wrote to memory of 312	1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	79
PID 1620 wrote to memory of 312	1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	79
PID 1620 wrote to memory of 4708	1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	83
PID 1620 wrote to memory of 4708	1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	83
PID 1620 wrote to memory of 4708	1620	7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe	83

C:\Users\Admin\AppData\Local\Temp\7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe
"C:\Users\Admin\AppData\Local\Temp\7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:312
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adnvdjch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adnvdjch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adnvdjch.exe

Filesize
616KB

MD5
02fb4ae633b32d995eb743f05c809a11

SHA1
2a0b7f69b70951de4070efaaa372eba24ba039ef

SHA256
7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

SHA512
80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adnvdjch.exe

Filesize
616KB

MD5
02fb4ae633b32d995eb743f05c809a11

SHA1
2a0b7f69b70951de4070efaaa372eba24ba039ef

SHA256
7e4a52fd3f3714a68347a797a900fe73c4b53ac61d2c685ac180cf8664006969

SHA512
80221e606fc3d0c5b1c508e7d67b8eb999051d554ae60170cdcd8c5d8d912d35e1862c4035896c32eaddd835bb8adb63853bcf1f47731caebf146c7a3b194922

Download Submit

Analysis

Sharing