kutaki | c540c69985914bd3e5f0fda62e55dde2bbea52c94305f305092fda4fa954c5b3

Analysis

max time kernel
148s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2022, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HDFC Payment Receipt.exe
Size

536KB
MD5

2a189ba5e989daca58342a7dd038b142
SHA1

abbaecc7acad08d1163a452cb56aa1d71c3582f8
SHA256

5587ae6cef689c180254ba9d455eb62c171c4bbb20f82af7450ea2eeff4eac1e
SHA512

f22d03a70d3177096acb5f62f9f6949df2478cb7d2dea40fc2057b6f8ebf8bc28320f23e1c9a4edd92753baa989cea7d19482582a6d5878d3e9815c0ab800baa
SSDEEP

6144:NT1htGytvUf4yclQgx7+8DfpedxbKT3F9opcVyUW4Es+CS/wUcvzUjSa5pK2mKd4:7P+8DpFTvodUB4/8vYjDpK8atfx8hDu

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newbosslink.xyz/baba/new4.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000022e35-137.dat	family_kutaki
behavioral2/files/0x000a000000022e35-138.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4364	ch.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe	HDFC Payment Receipt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe	HDFC Payment Receipt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
100	mspaint.exe
100	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4196	HDFC Payment Receipt.exe
4196	HDFC Payment Receipt.exe
4196	HDFC Payment Receipt.exe
100	mspaint.exe
100	mspaint.exe
4364	ch.exe
100	mspaint.exe
100	mspaint.exe
4364	ch.exe
4364	ch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 5052	4196	HDFC Payment Receipt.exe	83
PID 4196 wrote to memory of 5052	4196	HDFC Payment Receipt.exe	83
PID 4196 wrote to memory of 5052	4196	HDFC Payment Receipt.exe	83
PID 5052 wrote to memory of 100	5052	cmd.exe	85
PID 5052 wrote to memory of 100	5052	cmd.exe	85
PID 5052 wrote to memory of 100	5052	cmd.exe	85
PID 4196 wrote to memory of 4364	4196	HDFC Payment Receipt.exe	91
PID 4196 wrote to memory of 4364	4196	HDFC Payment Receipt.exe	91
PID 4196 wrote to memory of 4364	4196	HDFC Payment Receipt.exe	91

C:\Users\Admin\AppData\Local\Temp\HDFC Payment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\HDFC Payment Receipt.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:100
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe

Filesize
536KB

MD5
2a189ba5e989daca58342a7dd038b142

SHA1
abbaecc7acad08d1163a452cb56aa1d71c3582f8

SHA256
5587ae6cef689c180254ba9d455eb62c171c4bbb20f82af7450ea2eeff4eac1e

SHA512
f22d03a70d3177096acb5f62f9f6949df2478cb7d2dea40fc2057b6f8ebf8bc28320f23e1c9a4edd92753baa989cea7d19482582a6d5878d3e9815c0ab800baa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe

Filesize
536KB

MD5
2a189ba5e989daca58342a7dd038b142

SHA1
abbaecc7acad08d1163a452cb56aa1d71c3582f8

SHA256
5587ae6cef689c180254ba9d455eb62c171c4bbb20f82af7450ea2eeff4eac1e

SHA512
f22d03a70d3177096acb5f62f9f6949df2478cb7d2dea40fc2057b6f8ebf8bc28320f23e1c9a4edd92753baa989cea7d19482582a6d5878d3e9815c0ab800baa

Download Submit