kutaki | 4efac9d701417e16e933738583b01d08690821a197dfd7d3b62dc20f91e97208

Analysis

max time kernel
129s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Receipt.exe
Size

2.3MB
MD5

5e8111e5a3f79e95825be8cb1b7ba3be
SHA1

4c3cb2f62dacd306cd7dfe16ea00b6249c5a8753
SHA256

a1008233dd7bb7621f533591ff1715d49c123eb1b4a6daab1bd0a357177b9a24
SHA512

403cbc55b7c71cd93ef98eca306f92ce38c294cd07f01de4447f97068b448012a66e2cf7f342bf06eba011ddedd2db2d281fb783186d5638ade3362f529cd3ad
SSDEEP

49152:BkWk5cS7a+9XYaQ3Zehc4mTYJ78V9gyBn4cifmP/SA8N:NajJEZ942KQV9hp41fmP/SA8

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012319-58.dat	family_kutaki
behavioral1/files/0x000b000000012319-59.dat	family_kutaki
behavioral1/files/0x000b000000012319-61.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
672	dziawzfk.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dziawzfk.exe	Receipt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dziawzfk.exe	Receipt.exe

Loads dropped DLL 2 IoCs

pid	Process
1324	Receipt.exe
1324	Receipt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1324	Receipt.exe
1324	Receipt.exe
1324	Receipt.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe
672	dziawzfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1384	1324	Receipt.exe	29
PID 1324 wrote to memory of 1384	1324	Receipt.exe	29
PID 1324 wrote to memory of 1384	1324	Receipt.exe	29
PID 1324 wrote to memory of 1384	1324	Receipt.exe	29
PID 1324 wrote to memory of 672	1324	Receipt.exe	31
PID 1324 wrote to memory of 672	1324	Receipt.exe	31
PID 1324 wrote to memory of 672	1324	Receipt.exe	31
PID 1324 wrote to memory of 672	1324	Receipt.exe	31

C:\Users\Admin\AppData\Local\Temp\Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1384
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dziawzfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dziawzfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dziawzfk.exe

Filesize
2.3MB

MD5
5e8111e5a3f79e95825be8cb1b7ba3be

SHA1
4c3cb2f62dacd306cd7dfe16ea00b6249c5a8753

SHA256
a1008233dd7bb7621f533591ff1715d49c123eb1b4a6daab1bd0a357177b9a24

SHA512
403cbc55b7c71cd93ef98eca306f92ce38c294cd07f01de4447f97068b448012a66e2cf7f342bf06eba011ddedd2db2d281fb783186d5638ade3362f529cd3ad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dziawzfk.exe

Filesize
2.3MB

MD5
5e8111e5a3f79e95825be8cb1b7ba3be

SHA1
4c3cb2f62dacd306cd7dfe16ea00b6249c5a8753

SHA256
a1008233dd7bb7621f533591ff1715d49c123eb1b4a6daab1bd0a357177b9a24

SHA512
403cbc55b7c71cd93ef98eca306f92ce38c294cd07f01de4447f97068b448012a66e2cf7f342bf06eba011ddedd2db2d281fb783186d5638ade3362f529cd3ad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dziawzfk.exe

Filesize
2.3MB

MD5
5e8111e5a3f79e95825be8cb1b7ba3be

SHA1
4c3cb2f62dacd306cd7dfe16ea00b6249c5a8753

SHA256
a1008233dd7bb7621f533591ff1715d49c123eb1b4a6daab1bd0a357177b9a24

SHA512
403cbc55b7c71cd93ef98eca306f92ce38c294cd07f01de4447f97068b448012a66e2cf7f342bf06eba011ddedd2db2d281fb783186d5638ade3362f529cd3ad

Download Submit
memory/1324-56-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download