kutaki | 42c326b155960ea90143b31d14c48bf081d6dc6bb74ce383cace3cdfe844a403

Analysis

max time kernel
155s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Receipt.exe
Size

557KB
MD5

8aa46a680dee1077ddc3c3532f257f1c
SHA1

a0dd12b6d29540516de63419f7c9968e94c1adba
SHA256

42c326b155960ea90143b31d14c48bf081d6dc6bb74ce383cace3cdfe844a403
SHA512

5a4d528e7c7783aaaae84409190cdca68a2914edb040332aa65f8662288cd4e8aba1d5afde766f415717b90123c258e0aaf1cad6bc2b8af5994c6be404a8d223
SSDEEP

12288:TF5lcY4VALRvG46A9jmP/uhu/yMS08CkntxYRtL:xcOXfmP/UDMS08Ckn30

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newbosslink.xyz/baba/new4.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e74b-138.dat	family_kutaki
behavioral2/files/0x000300000001e74b-137.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
2180	rofyyxfk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rofyyxfk.exe	Receipt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rofyyxfk.exe	Receipt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4540	mspaint.exe
4540	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4080	Receipt.exe
4080	Receipt.exe
4080	Receipt.exe
4540	mspaint.exe
2180	rofyyxfk.exe
2180	rofyyxfk.exe
2180	rofyyxfk.exe
4540	mspaint.exe
4540	mspaint.exe
4540	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 228	4080	Receipt.exe	84
PID 4080 wrote to memory of 228	4080	Receipt.exe	84
PID 4080 wrote to memory of 228	4080	Receipt.exe	84
PID 228 wrote to memory of 4540	228	cmd.exe	86
PID 228 wrote to memory of 4540	228	cmd.exe	86
PID 228 wrote to memory of 4540	228	cmd.exe	86
PID 4080 wrote to memory of 2180	4080	Receipt.exe	89
PID 4080 wrote to memory of 2180	4080	Receipt.exe	89
PID 4080 wrote to memory of 2180	4080	Receipt.exe	89

C:\Users\Admin\AppData\Local\Temp\Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4540
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rofyyxfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rofyyxfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rofyyxfk.exe

Filesize
557KB

MD5
8aa46a680dee1077ddc3c3532f257f1c

SHA1
a0dd12b6d29540516de63419f7c9968e94c1adba

SHA256
42c326b155960ea90143b31d14c48bf081d6dc6bb74ce383cace3cdfe844a403

SHA512
5a4d528e7c7783aaaae84409190cdca68a2914edb040332aa65f8662288cd4e8aba1d5afde766f415717b90123c258e0aaf1cad6bc2b8af5994c6be404a8d223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rofyyxfk.exe

Filesize
557KB

MD5
8aa46a680dee1077ddc3c3532f257f1c

SHA1
a0dd12b6d29540516de63419f7c9968e94c1adba

SHA256
42c326b155960ea90143b31d14c48bf081d6dc6bb74ce383cace3cdfe844a403

SHA512
5a4d528e7c7783aaaae84409190cdca68a2914edb040332aa65f8662288cd4e8aba1d5afde766f415717b90123c258e0aaf1cad6bc2b8af5994c6be404a8d223

Download Submit