Analysis

  • max time kernel
    73s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 07:01

General

  • Target

    bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe

  • Size

    568KB

  • MD5

    3acd878dcad8af0f84eae82ae801b654

  • SHA1

    14931b89a4adada1d61e9aa3d437ce74045898ce

  • SHA256

    bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09

  • SHA512

    934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Kutaki Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe
    "C:\Users\Admin\AppData\Local\Temp\bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:1304
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe"
        2⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious use of SetWindowsHookEx
        PID:1528

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe

      Filesize

      568KB

      MD5

      3acd878dcad8af0f84eae82ae801b654

      SHA1

      14931b89a4adada1d61e9aa3d437ce74045898ce

      SHA256

      bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09

      SHA512

      934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe

      Filesize

      568KB

      MD5

      3acd878dcad8af0f84eae82ae801b654

      SHA1

      14931b89a4adada1d61e9aa3d437ce74045898ce

      SHA256

      bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09

      SHA512

      934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe

      Filesize

      568KB

      MD5

      3acd878dcad8af0f84eae82ae801b654

      SHA1

      14931b89a4adada1d61e9aa3d437ce74045898ce

      SHA256

      bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09

      SHA512

      934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6

    • memory/1304-57-0x0000000000000000-mapping.dmp

    • memory/1528-60-0x0000000000000000-mapping.dmp

    • memory/1976-56-0x00000000757C1000-0x00000000757C3000-memory.dmp

      Filesize

      8KB