Analysis
-
max time kernel
63s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27/05/2022, 23:40
General
-
Target
4c1bc4e929ba5c02a4fbba9b7bb3eb728a3f4e010e04a9c10189487c1843085e.exe
-
Size
560KB
-
MD5
f85699f0c3bca198228a5af7de67ecba
-
SHA1
56f4a24a398dae4e6e47d62832144673b3486f9f
-
SHA256
4c1bc4e929ba5c02a4fbba9b7bb3eb728a3f4e010e04a9c10189487c1843085e
-
SHA512
b170c937b015ae6a2ae98ae609f2c6626130681b95d45089d99d9bed9b8fffc54b170b1f69d0d2b64acbf8d3282e08e45b5accbdbbc753dbaa13d6ff510e3582
Malware Config
Signatures
-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Kutaki Executable 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c1bc4e929ba5c02a4fbba9b7bb3eb728a3f4e010e04a9c10189487c1843085e.exe"C:\Users\Admin\AppData\Local\Temp\4c1bc4e929ba5c02a4fbba9b7bb3eb728a3f4e010e04a9c10189487c1843085e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vlikwech.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vlikwech.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560KB
MD5f85699f0c3bca198228a5af7de67ecba
SHA156f4a24a398dae4e6e47d62832144673b3486f9f
SHA2564c1bc4e929ba5c02a4fbba9b7bb3eb728a3f4e010e04a9c10189487c1843085e
SHA512b170c937b015ae6a2ae98ae609f2c6626130681b95d45089d99d9bed9b8fffc54b170b1f69d0d2b64acbf8d3282e08e45b5accbdbbc753dbaa13d6ff510e3582
-
Filesize
560KB
MD5f85699f0c3bca198228a5af7de67ecba
SHA156f4a24a398dae4e6e47d62832144673b3486f9f
SHA2564c1bc4e929ba5c02a4fbba9b7bb3eb728a3f4e010e04a9c10189487c1843085e
SHA512b170c937b015ae6a2ae98ae609f2c6626130681b95d45089d99d9bed9b8fffc54b170b1f69d0d2b64acbf8d3282e08e45b5accbdbbc753dbaa13d6ff510e3582
-
Filesize
560KB
MD5f85699f0c3bca198228a5af7de67ecba
SHA156f4a24a398dae4e6e47d62832144673b3486f9f
SHA2564c1bc4e929ba5c02a4fbba9b7bb3eb728a3f4e010e04a9c10189487c1843085e
SHA512b170c937b015ae6a2ae98ae609f2c6626130681b95d45089d99d9bed9b8fffc54b170b1f69d0d2b64acbf8d3282e08e45b5accbdbbc753dbaa13d6ff510e3582
-
Filesize
8KB