kutaki | 5656c83c7d8cf3e80122d9bf2417f4c6089f14f8db2d12f9c64f7293784b1d59

General

Target

Tax Payment Challan.exe
Size

1.0MB
MD5

7d9d24216b329d14d4dd428a23070f29
SHA1

636d97af3f64ad9efe07c5b820e7afddbbf89f74
SHA256

998388008566177928bfbd0f18e36df434f262dc316726dff764e9b21045881b
SHA512

4af9920e7a8d73457702c6ab7b27eb20bd42d4ccc18d8e5c2014e319584894f263d613a72d3de3a44a811a60dfa1bbb10371bc3ffce28d2ac22978fc23f06e53

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012314-58.dat	family_kutaki
behavioral1/files/0x000a000000012314-59.dat	family_kutaki
behavioral1/files/0x000a000000012314-61.dat	family_kutaki
behavioral1/files/0x000a000000012314-66.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1664	jpomdvf.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe	Tax Payment Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe	Tax Payment Challan.exe

Loads dropped DLL 2 IoCs

pid	Process
1764	Tax Payment Challan.exe
1764	Tax Payment Challan.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	jpomdvf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	jpomdvf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	jpomdvf.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1764	Tax Payment Challan.exe
1764	Tax Payment Challan.exe
1764	Tax Payment Challan.exe
1664	jpomdvf.exe
1664	jpomdvf.exe
1664	jpomdvf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1660	1764	Tax Payment Challan.exe	28
PID 1764 wrote to memory of 1660	1764	Tax Payment Challan.exe	28
PID 1764 wrote to memory of 1660	1764	Tax Payment Challan.exe	28
PID 1764 wrote to memory of 1660	1764	Tax Payment Challan.exe	28
PID 1764 wrote to memory of 1664	1764	Tax Payment Challan.exe	30
PID 1764 wrote to memory of 1664	1764	Tax Payment Challan.exe	30
PID 1764 wrote to memory of 1664	1764	Tax Payment Challan.exe	30
PID 1764 wrote to memory of 1664	1764	Tax Payment Challan.exe	30

C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe

Filesize
1.0MB

MD5
7d9d24216b329d14d4dd428a23070f29

SHA1
636d97af3f64ad9efe07c5b820e7afddbbf89f74

SHA256
998388008566177928bfbd0f18e36df434f262dc316726dff764e9b21045881b

SHA512
4af9920e7a8d73457702c6ab7b27eb20bd42d4ccc18d8e5c2014e319584894f263d613a72d3de3a44a811a60dfa1bbb10371bc3ffce28d2ac22978fc23f06e53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe

Filesize
1.0MB

MD5
7d9d24216b329d14d4dd428a23070f29

SHA1
636d97af3f64ad9efe07c5b820e7afddbbf89f74

SHA256
998388008566177928bfbd0f18e36df434f262dc316726dff764e9b21045881b

SHA512
4af9920e7a8d73457702c6ab7b27eb20bd42d4ccc18d8e5c2014e319584894f263d613a72d3de3a44a811a60dfa1bbb10371bc3ffce28d2ac22978fc23f06e53

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe

Filesize
1.0MB

MD5
7d9d24216b329d14d4dd428a23070f29

SHA1
636d97af3f64ad9efe07c5b820e7afddbbf89f74

SHA256
998388008566177928bfbd0f18e36df434f262dc316726dff764e9b21045881b

SHA512
4af9920e7a8d73457702c6ab7b27eb20bd42d4ccc18d8e5c2014e319584894f263d613a72d3de3a44a811a60dfa1bbb10371bc3ffce28d2ac22978fc23f06e53

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jpomdvf.exe

Filesize
1.0MB

MD5
7d9d24216b329d14d4dd428a23070f29

SHA1
636d97af3f64ad9efe07c5b820e7afddbbf89f74

SHA256
998388008566177928bfbd0f18e36df434f262dc316726dff764e9b21045881b

SHA512
4af9920e7a8d73457702c6ab7b27eb20bd42d4ccc18d8e5c2014e319584894f263d613a72d3de3a44a811a60dfa1bbb10371bc3ffce28d2ac22978fc23f06e53

Download Submit
memory/1664-65-0x00000000040C1000-0x0000000004F6D000-memory.dmp

Filesize
14.7MB

Download
memory/1764-56-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing