kutaki | 2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd

General

Target

2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe
Size

600KB
MD5

e20264435aec9a9c68a91dd6b3a9fd80
SHA1

96ba4fa0a8c136975b67875fe3c1fa1012a41513
SHA256

2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd
SHA512

291978910b3ca2c91040bf76a3718fceb5647a2e678b323672c725f7d6a9028325204cc42d2c2788f0919821bfd924f508a2b90531b9932d6969ddb84c3ea4af

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122d4-58.dat	family_kutaki
behavioral1/files/0x000a0000000122d4-59.dat	family_kutaki
behavioral1/files/0x000a0000000122d4-61.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
916	kzyzunch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzyzunch.exe	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzyzunch.exe	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe

Loads dropped DLL 2 IoCs

pid	Process
700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe
700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe
700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe
700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe
916	kzyzunch.exe
916	kzyzunch.exe
916	kzyzunch.exe
916	kzyzunch.exe
916	kzyzunch.exe
916	kzyzunch.exe
916	kzyzunch.exe
916	kzyzunch.exe
916	kzyzunch.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 1724	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	29
PID 700 wrote to memory of 1724	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	29
PID 700 wrote to memory of 1724	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	29
PID 700 wrote to memory of 1724	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	29
PID 700 wrote to memory of 916	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	31
PID 700 wrote to memory of 916	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	31
PID 700 wrote to memory of 916	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	31
PID 700 wrote to memory of 916	700	2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe	31

C:\Users\Admin\AppData\Local\Temp\2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe
"C:\Users\Admin\AppData\Local\Temp\2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzyzunch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzyzunch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzyzunch.exe

Filesize
600KB

MD5
e20264435aec9a9c68a91dd6b3a9fd80

SHA1
96ba4fa0a8c136975b67875fe3c1fa1012a41513

SHA256
2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd

SHA512
291978910b3ca2c91040bf76a3718fceb5647a2e678b323672c725f7d6a9028325204cc42d2c2788f0919821bfd924f508a2b90531b9932d6969ddb84c3ea4af

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzyzunch.exe

Filesize
600KB

MD5
e20264435aec9a9c68a91dd6b3a9fd80

SHA1
96ba4fa0a8c136975b67875fe3c1fa1012a41513

SHA256
2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd

SHA512
291978910b3ca2c91040bf76a3718fceb5647a2e678b323672c725f7d6a9028325204cc42d2c2788f0919821bfd924f508a2b90531b9932d6969ddb84c3ea4af

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzyzunch.exe

Filesize
600KB

MD5
e20264435aec9a9c68a91dd6b3a9fd80

SHA1
96ba4fa0a8c136975b67875fe3c1fa1012a41513

SHA256
2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd

SHA512
291978910b3ca2c91040bf76a3718fceb5647a2e678b323672c725f7d6a9028325204cc42d2c2788f0919821bfd924f508a2b90531b9932d6969ddb84c3ea4af

Download Submit
memory/700-56-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing