kutaki | d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69

Analysis

max time kernel
149s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/09/2022, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe
Size

3.1MB
MD5

79e5e9c2a96ad4bf443565f151afd809
SHA1

a6a692f7e9733f823d9659e6bae87c096f0f1170
SHA256

d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69
SHA512

7d0f385dc4a480fe366461fd0221b7c792d41a35fea5b9586c083f5cf9f42a5a2a916c60bf71f82ce32b899c61626f761f51bfe904b9e8fee68d7605af8b4019
SSDEEP

12288:C1dAHWyU4QtcQSsdgHy46A9jmP/uhu/yMS08CkntxYRh:A1rtqfJfmP/UDMS08Ckn3g

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://ojorobia.club/laptop/laptop.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x00140000000054ab-58.dat	family_kutaki
behavioral1/files/0x00140000000054ab-61.dat	family_kutaki
behavioral1/files/0x00140000000054ab-59.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1168	skvkvyfk.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skvkvyfk.exe	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skvkvyfk.exe	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe

Loads dropped DLL 2 IoCs

pid	Process
1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe
1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe
1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe
1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe
1168	skvkvyfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1304	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	28
PID 1100 wrote to memory of 1304	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	28
PID 1100 wrote to memory of 1304	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	28
PID 1100 wrote to memory of 1304	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	28
PID 1100 wrote to memory of 1168	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	30
PID 1100 wrote to memory of 1168	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	30
PID 1100 wrote to memory of 1168	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	30
PID 1100 wrote to memory of 1168	1100	d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe	30

C:\Users\Admin\AppData\Local\Temp\d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe
"C:\Users\Admin\AppData\Local\Temp\d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skvkvyfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skvkvyfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skvkvyfk.exe

Filesize
3.1MB

MD5
79e5e9c2a96ad4bf443565f151afd809

SHA1
a6a692f7e9733f823d9659e6bae87c096f0f1170

SHA256
d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69

SHA512
7d0f385dc4a480fe366461fd0221b7c792d41a35fea5b9586c083f5cf9f42a5a2a916c60bf71f82ce32b899c61626f761f51bfe904b9e8fee68d7605af8b4019

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skvkvyfk.exe

Filesize
3.1MB

MD5
79e5e9c2a96ad4bf443565f151afd809

SHA1
a6a692f7e9733f823d9659e6bae87c096f0f1170

SHA256
d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69

SHA512
7d0f385dc4a480fe366461fd0221b7c792d41a35fea5b9586c083f5cf9f42a5a2a916c60bf71f82ce32b899c61626f761f51bfe904b9e8fee68d7605af8b4019

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skvkvyfk.exe

Filesize
3.1MB

MD5
79e5e9c2a96ad4bf443565f151afd809

SHA1
a6a692f7e9733f823d9659e6bae87c096f0f1170

SHA256
d510b26ecf363b3ff1889ae6057482bbba5254cf7440ed42efaa37fa3aa8cf69

SHA512
7d0f385dc4a480fe366461fd0221b7c792d41a35fea5b9586c083f5cf9f42a5a2a916c60bf71f82ce32b899c61626f761f51bfe904b9e8fee68d7605af8b4019

Download Submit
memory/1100-56-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download