kutaki | 1296e4f3c4f9a4475649f2aa811d3d79d46efccc3070e2073ba89b4d124fc1e3

General

Target

TDS Challan.exe
Size

1.1MB
MD5

bdfe1051fc246f74193f5e5c8749b7ec
SHA1

78a61790dccb94853e233ec1f75db3ee6055b5de
SHA256

62e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462
SHA512

e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x000d000000005ba9-58.dat	family_kutaki
behavioral1/files/0x000d000000005ba9-59.dat	family_kutaki
behavioral1/files/0x000d000000005ba9-61.dat	family_kutaki
behavioral1/files/0x000d000000005ba9-67.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1764	hyuder.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe	TDS Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe	TDS Challan.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	TDS Challan.exe
1980	TDS Challan.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hyuder.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	hyuder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	hyuder.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1980	TDS Challan.exe
1980	TDS Challan.exe
1980	TDS Challan.exe
1764	hyuder.exe
1764	hyuder.exe
1764	hyuder.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2004	1980	TDS Challan.exe	27
PID 1980 wrote to memory of 2004	1980	TDS Challan.exe	27
PID 1980 wrote to memory of 2004	1980	TDS Challan.exe	27
PID 1980 wrote to memory of 2004	1980	TDS Challan.exe	27
PID 1980 wrote to memory of 1764	1980	TDS Challan.exe	29
PID 1980 wrote to memory of 1764	1980	TDS Challan.exe	29
PID 1980 wrote to memory of 1764	1980	TDS Challan.exe	29
PID 1980 wrote to memory of 1764	1980	TDS Challan.exe	29

C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe
"C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
1.1MB

MD5
bdfe1051fc246f74193f5e5c8749b7ec

SHA1
78a61790dccb94853e233ec1f75db3ee6055b5de

SHA256
62e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462

SHA512
e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
1.1MB

MD5
bdfe1051fc246f74193f5e5c8749b7ec

SHA1
78a61790dccb94853e233ec1f75db3ee6055b5de

SHA256
62e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462

SHA512
e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
1.1MB

MD5
bdfe1051fc246f74193f5e5c8749b7ec

SHA1
78a61790dccb94853e233ec1f75db3ee6055b5de

SHA256
62e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462

SHA512
e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
1.1MB

MD5
bdfe1051fc246f74193f5e5c8749b7ec

SHA1
78a61790dccb94853e233ec1f75db3ee6055b5de

SHA256
62e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462

SHA512
e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7

Download Submit
memory/1980-56-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing