kutaki | 4c8403e48c8fc0203b2472ec3e0d32445528e2081e07a5ae5ccedc8cf6fa1172

General

Target

TDS Payment Challan.exe
Size

671KB
MD5

62aea7e47f647f9d6d2cdacb15e4b163
SHA1

884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256

73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512

59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x0005000000004ed7-58.dat	family_kutaki
behavioral1/files/0x0005000000004ed7-59.dat	family_kutaki
behavioral1/files/0x0005000000004ed7-61.dat	family_kutaki
behavioral1/files/0x0005000000004ed7-67.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1352	lunlerio.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe	TDS Payment Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe	TDS Payment Challan.exe

Loads dropped DLL 2 IoCs

pid	Process
848	TDS Payment Challan.exe
848	TDS Payment Challan.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	lunlerio.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	lunlerio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	lunlerio.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
848	TDS Payment Challan.exe
848	TDS Payment Challan.exe
848	TDS Payment Challan.exe
1352	lunlerio.exe
1352	lunlerio.exe
1352	lunlerio.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1904	848	TDS Payment Challan.exe	26
PID 848 wrote to memory of 1904	848	TDS Payment Challan.exe	26
PID 848 wrote to memory of 1904	848	TDS Payment Challan.exe	26
PID 848 wrote to memory of 1904	848	TDS Payment Challan.exe	26
PID 848 wrote to memory of 1352	848	TDS Payment Challan.exe	28
PID 848 wrote to memory of 1352	848	TDS Payment Challan.exe	28
PID 848 wrote to memory of 1352	848	TDS Payment Challan.exe	28
PID 848 wrote to memory of 1352	848	TDS Payment Challan.exe	28

C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
671KB

MD5
62aea7e47f647f9d6d2cdacb15e4b163

SHA1
884550e92ac4ad9c24f3473d889b9247775f5ee5

SHA256
73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

SHA512
59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
671KB

MD5
62aea7e47f647f9d6d2cdacb15e4b163

SHA1
884550e92ac4ad9c24f3473d889b9247775f5ee5

SHA256
73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

SHA512
59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
671KB

MD5
62aea7e47f647f9d6d2cdacb15e4b163

SHA1
884550e92ac4ad9c24f3473d889b9247775f5ee5

SHA256
73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

SHA512
59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

Filesize
671KB

MD5
62aea7e47f647f9d6d2cdacb15e4b163

SHA1
884550e92ac4ad9c24f3473d889b9247775f5ee5

SHA256
73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3

SHA512
59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Download Submit
memory/848-56-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing