kutaki | 0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76

General

Target

0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe
Size

499KB
MD5

ee9d608c58f615144948a76f0c271dda
SHA1

f95fcd18d45361e61b6947c4002e10b714b12127
SHA256

0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76
SHA512

32c45c057f1cdbf85085fb07cd490489acbf44d17dd6985141145807e441d8837c0be2650c664e1aaef39da968131435ebdf01446f064167ad42929f2d8dc503

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x00030000000006fd-134.dat	family_kutaki
behavioral2/files/0x00030000000006fd-135.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4252	lunlerio.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	lunlerio.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	lunlerio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe
2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe
2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe
4252	lunlerio.exe
4252	lunlerio.exe
4252	lunlerio.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3016	2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe	80
PID 2896 wrote to memory of 3016	2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe	80
PID 2896 wrote to memory of 3016	2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe	80
PID 2896 wrote to memory of 4252	2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe	82
PID 2896 wrote to memory of 4252	2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe	82
PID 2896 wrote to memory of 4252	2896	0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe	82

C:\Users\Admin\AppData\Local\Temp\0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe
"C:\Users\Admin\AppData\Local\Temp\0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
499KB

MD5
ee9d608c58f615144948a76f0c271dda

SHA1
f95fcd18d45361e61b6947c4002e10b714b12127

SHA256
0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76

SHA512
32c45c057f1cdbf85085fb07cd490489acbf44d17dd6985141145807e441d8837c0be2650c664e1aaef39da968131435ebdf01446f064167ad42929f2d8dc503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
499KB

MD5
ee9d608c58f615144948a76f0c271dda

SHA1
f95fcd18d45361e61b6947c4002e10b714b12127

SHA256
0d3cf290f14c09e02aa3cea0c711e01955131d829cf7369b1f2dba351ba49d76

SHA512
32c45c057f1cdbf85085fb07cd490489acbf44d17dd6985141145807e441d8837c0be2650c664e1aaef39da968131435ebdf01446f064167ad42929f2d8dc503

Download Submit

Analysis

Sharing