kutaki | 0392b3c77ea02a9d0ab0a5802b0a8880989a1afd0a74cdbfe6bf540c92cfda1f

Analysis

max time kernel
149s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24/09/2022, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JTF.exe
Size

368KB
MD5

9cb5c7e9ff6a1ebadffdf841e4b0c365
SHA1

d84cd78c91fb38976dbcd2a215aa1c04683b0b86
SHA256

2a912155052a824834d135b4d4e76d05287070c5141311b9a86e54ddbde13268
SHA512

32cf5449200fae46a22196901dd2c25cd2da3c9611aaddbb589e49518b80f7a77d1371e76174b9868782fb6688a910006fafcfca0c92dbdf3aae1ae97fe83d69
SSDEEP

6144:tL0Vwc4W4Es+CS/wUcvzUjSa5pK2mKdl0TruunfD09gfJChgGJhCj:tL0aB4/8vYjDpK8atfx8hDu

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newbosslink.xyz/baba/new4.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001435a-61.dat	family_kutaki
behavioral1/files/0x000600000001435a-60.dat	family_kutaki
behavioral1/files/0x000600000001435a-63.dat	family_kutaki

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1344	rundll32.exe
6	1344	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1416	ch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe	JTF.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe	JTF.exe

Loads dropped DLL 2 IoCs

pid	Process
860	JTF.exe
860	JTF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1432	DllHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
860	JTF.exe
860	JTF.exe
860	JTF.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe
1416	ch.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1344	860	JTF.exe	27
PID 860 wrote to memory of 1344	860	JTF.exe	27
PID 860 wrote to memory of 1344	860	JTF.exe	27
PID 860 wrote to memory of 1344	860	JTF.exe	27
PID 860 wrote to memory of 1344	860	JTF.exe	27
PID 860 wrote to memory of 1344	860	JTF.exe	27
PID 860 wrote to memory of 1344	860	JTF.exe	27
PID 860 wrote to memory of 1408	860	JTF.exe	29
PID 860 wrote to memory of 1408	860	JTF.exe	29
PID 860 wrote to memory of 1408	860	JTF.exe	29
PID 860 wrote to memory of 1408	860	JTF.exe	29
PID 860 wrote to memory of 1416	860	JTF.exe	31
PID 860 wrote to memory of 1416	860	JTF.exe	31
PID 860 wrote to memory of 1416	860	JTF.exe	31
PID 860 wrote to memory of 1416	860	JTF.exe	31

C:\Users\Admin\AppData\Local\Temp\JTF.exe
"C:\Users\Admin\AppData\Local\Temp\JTF.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {5a64ed63-e1e7-483d-891e-a97ce4acaebb};C:\Users\Admin\AppData\Local\Temp\JTF.exe;860
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  PID:1408
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1416

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe

Filesize
368KB

MD5
9cb5c7e9ff6a1ebadffdf841e4b0c365

SHA1
d84cd78c91fb38976dbcd2a215aa1c04683b0b86

SHA256
2a912155052a824834d135b4d4e76d05287070c5141311b9a86e54ddbde13268

SHA512
32cf5449200fae46a22196901dd2c25cd2da3c9611aaddbb589e49518b80f7a77d1371e76174b9868782fb6688a910006fafcfca0c92dbdf3aae1ae97fe83d69

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe

Filesize
368KB

MD5
9cb5c7e9ff6a1ebadffdf841e4b0c365

SHA1
d84cd78c91fb38976dbcd2a215aa1c04683b0b86

SHA256
2a912155052a824834d135b4d4e76d05287070c5141311b9a86e54ddbde13268

SHA512
32cf5449200fae46a22196901dd2c25cd2da3c9611aaddbb589e49518b80f7a77d1371e76174b9868782fb6688a910006fafcfca0c92dbdf3aae1ae97fe83d69

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe

Filesize
368KB

MD5
9cb5c7e9ff6a1ebadffdf841e4b0c365

SHA1
d84cd78c91fb38976dbcd2a215aa1c04683b0b86

SHA256
2a912155052a824834d135b4d4e76d05287070c5141311b9a86e54ddbde13268

SHA512
32cf5449200fae46a22196901dd2c25cd2da3c9611aaddbb589e49518b80f7a77d1371e76174b9868782fb6688a910006fafcfca0c92dbdf3aae1ae97fe83d69

Download Submit
memory/860-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1416-68-0x00000000032F0000-0x0000000003DAA000-memory.dmp

Filesize
10.7MB

Download