Analysis
-
max time kernel
97s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
19/09/2022, 11:11
General
-
Target
ITC.exe
-
Size
544KB
-
MD5
039f072565f5c1a20edbddc6a8cd4b7e
-
SHA1
0b0577a885f82fd073dc1f86e5ee6e72054030e1
-
SHA256
83d66249977c93aee45be9aa3e6ccfc2b450c23bc9db6e8e0764ed35e1b5a06e
-
SHA512
74a08454326688fc944d05ec9d37ee21aa1de2bd5ab5d03c7360bf0245650a083bb8e77fba876475513750154809c437db0fd92b18386fcca98cc3d82cf907fd
-
SSDEEP
6144:m8ylUOltoMFD95ad/gvlfZPFHrbl3wL0n9/G0GM5JLMKRMWBXd+tPdv5W4Es+CSE:p2YcJmW/+b5B4/8vYjDpK8atfx8hDu
Malware Config
Extracted
kutaki
http://newbosslink.xyz/baba/new4.php
Signatures
-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Kutaki Executable 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ITC.exe"C:\Users\Admin\AppData\Local\Temp\ITC.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5039f072565f5c1a20edbddc6a8cd4b7e
SHA10b0577a885f82fd073dc1f86e5ee6e72054030e1
SHA25683d66249977c93aee45be9aa3e6ccfc2b450c23bc9db6e8e0764ed35e1b5a06e
SHA51274a08454326688fc944d05ec9d37ee21aa1de2bd5ab5d03c7360bf0245650a083bb8e77fba876475513750154809c437db0fd92b18386fcca98cc3d82cf907fd
-
Filesize
544KB
MD5039f072565f5c1a20edbddc6a8cd4b7e
SHA10b0577a885f82fd073dc1f86e5ee6e72054030e1
SHA25683d66249977c93aee45be9aa3e6ccfc2b450c23bc9db6e8e0764ed35e1b5a06e
SHA51274a08454326688fc944d05ec9d37ee21aa1de2bd5ab5d03c7360bf0245650a083bb8e77fba876475513750154809c437db0fd92b18386fcca98cc3d82cf907fd
-
Filesize
544KB
MD5039f072565f5c1a20edbddc6a8cd4b7e
SHA10b0577a885f82fd073dc1f86e5ee6e72054030e1
SHA25683d66249977c93aee45be9aa3e6ccfc2b450c23bc9db6e8e0764ed35e1b5a06e
SHA51274a08454326688fc944d05ec9d37ee21aa1de2bd5ab5d03c7360bf0245650a083bb8e77fba876475513750154809c437db0fd92b18386fcca98cc3d82cf907fd
-
Filesize
8KB