kutaki | efc7ec481193132dd58b741c3ccf3451c950ac3a446bd966e9a4d266439b9451

Analysis

max time kernel
71s
max time network
74s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-09-2022 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tax Payment Challan.exe
Size

504KB
MD5

705d8000b54163c1dd91960beb5c89b0
SHA1

5dc9cb229d61bf68627376603aa569f025b651bf
SHA256

efc7ec481193132dd58b741c3ccf3451c950ac3a446bd966e9a4d266439b9451
SHA512

a2fee29eca137a6e870ef2860c2dc5571913ef8f77179c083baf7cd26b51f129c030ecd43b2d3889871ebf6d10b3ebdbf53196470f1b3fdf9c65a0175f9a4b70
SSDEEP

12288:2urv+oNBBIqJKcGB4/8vYjDpK8atfx8hDu:brv+oNBBf/8vYjEPx8hC

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newbosslink.xyz/baba/new4.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001ac68-256.dat	family_kutaki
behavioral1/files/0x000a00000001ac68-272.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4640	ch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe	Tax Payment Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe	Tax Payment Challan.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3316	mspaint.exe
3316	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4788	Tax Payment Challan.exe
4788	Tax Payment Challan.exe
4788	Tax Payment Challan.exe
4640	ch.exe
3316	mspaint.exe
4640	ch.exe
4640	ch.exe
3316	mspaint.exe
3316	mspaint.exe
3316	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1220	4788	Tax Payment Challan.exe	67
PID 4788 wrote to memory of 1220	4788	Tax Payment Challan.exe	67
PID 4788 wrote to memory of 1220	4788	Tax Payment Challan.exe	67
PID 1220 wrote to memory of 3316	1220	cmd.exe	70
PID 1220 wrote to memory of 3316	1220	cmd.exe	70
PID 1220 wrote to memory of 3316	1220	cmd.exe	70
PID 4788 wrote to memory of 4640	4788	Tax Payment Challan.exe	71
PID 4788 wrote to memory of 4640	4788	Tax Payment Challan.exe	71
PID 4788 wrote to memory of 4640	4788	Tax Payment Challan.exe	71

C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3316
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe

Filesize
504KB

MD5
705d8000b54163c1dd91960beb5c89b0

SHA1
5dc9cb229d61bf68627376603aa569f025b651bf

SHA256
efc7ec481193132dd58b741c3ccf3451c950ac3a446bd966e9a4d266439b9451

SHA512
a2fee29eca137a6e870ef2860c2dc5571913ef8f77179c083baf7cd26b51f129c030ecd43b2d3889871ebf6d10b3ebdbf53196470f1b3fdf9c65a0175f9a4b70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe

Filesize
504KB

MD5
705d8000b54163c1dd91960beb5c89b0

SHA1
5dc9cb229d61bf68627376603aa569f025b651bf

SHA256
efc7ec481193132dd58b741c3ccf3451c950ac3a446bd966e9a4d266439b9451

SHA512
a2fee29eca137a6e870ef2860c2dc5571913ef8f77179c083baf7cd26b51f129c030ecd43b2d3889871ebf6d10b3ebdbf53196470f1b3fdf9c65a0175f9a4b70

Download Submit
memory/4788-146-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-177-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-118-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-119-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-120-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-121-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-122-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-123-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-124-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-125-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-150-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-128-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-127-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-129-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-130-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-131-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-132-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-133-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-134-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-135-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-136-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-137-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-138-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-139-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-140-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-141-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-142-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-143-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-145-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-116-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-181-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-117-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-126-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-151-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-152-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-153-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-154-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-155-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-156-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-157-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-158-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-159-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-161-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-160-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-162-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-163-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-164-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-165-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-166-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-168-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-167-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-169-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-170-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-171-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-172-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-174-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-173-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-175-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-176-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-149-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-180-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-148-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-179-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4788-178-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download