Analysis
-
max time kernel
116s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30/08/2022, 18:53
General
-
Target
HDFC Payment Receipt.exe
-
Size
536KB
-
MD5
2a189ba5e989daca58342a7dd038b142
-
SHA1
abbaecc7acad08d1163a452cb56aa1d71c3582f8
-
SHA256
5587ae6cef689c180254ba9d455eb62c171c4bbb20f82af7450ea2eeff4eac1e
-
SHA512
f22d03a70d3177096acb5f62f9f6949df2478cb7d2dea40fc2057b6f8ebf8bc28320f23e1c9a4edd92753baa989cea7d19482582a6d5878d3e9815c0ab800baa
-
SSDEEP
6144:NT1htGytvUf4yclQgx7+8DfpedxbKT3F9opcVyUW4Es+CS/wUcvzUjSa5pK2mKd4:7P+8DpFTvodUB4/8vYjDpK8atfx8hDu
Malware Config
Extracted
kutaki
http://newbosslink.xyz/baba/new4.php
Signatures
-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Kutaki Executable 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HDFC Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\HDFC Payment Receipt.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD52a189ba5e989daca58342a7dd038b142
SHA1abbaecc7acad08d1163a452cb56aa1d71c3582f8
SHA2565587ae6cef689c180254ba9d455eb62c171c4bbb20f82af7450ea2eeff4eac1e
SHA512f22d03a70d3177096acb5f62f9f6949df2478cb7d2dea40fc2057b6f8ebf8bc28320f23e1c9a4edd92753baa989cea7d19482582a6d5878d3e9815c0ab800baa
-
Filesize
536KB
MD52a189ba5e989daca58342a7dd038b142
SHA1abbaecc7acad08d1163a452cb56aa1d71c3582f8
SHA2565587ae6cef689c180254ba9d455eb62c171c4bbb20f82af7450ea2eeff4eac1e
SHA512f22d03a70d3177096acb5f62f9f6949df2478cb7d2dea40fc2057b6f8ebf8bc28320f23e1c9a4edd92753baa989cea7d19482582a6d5878d3e9815c0ab800baa
-
Filesize
536KB
MD52a189ba5e989daca58342a7dd038b142
SHA1abbaecc7acad08d1163a452cb56aa1d71c3582f8
SHA2565587ae6cef689c180254ba9d455eb62c171c4bbb20f82af7450ea2eeff4eac1e
SHA512f22d03a70d3177096acb5f62f9f6949df2478cb7d2dea40fc2057b6f8ebf8bc28320f23e1c9a4edd92753baa989cea7d19482582a6d5878d3e9815c0ab800baa
-
Filesize
8KB
-
Filesize
10.7MB