kutaki | hxxp://revolutionforsuccess[.]com/images/icon/bqiw

Analysis

max time kernel
600s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://revolutionforsuccess.com/images/icon/bqiw

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe	LICK_Credit_Return.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe	LICK_Credit_Return.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe	LICK_Credit_Return.cmd
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe	LICK_Credit_Return.cmd

Executes dropped EXE 4 IoCs

pid	Process
1440	LICK_Credit_Return.cmd
4720	viyjwgfk.exe
2656	LICK_Credit_Return.cmd
3852	viyjwgfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4104	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133288605976231522"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4984	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
2820	chrome.exe
2820	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeRestorePrivilege	1252	7zG.exe
Token: 35	1252	7zG.exe
Token: SeSecurityPrivilege	1252	7zG.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeSecurityPrivilege	1252	7zG.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1252	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1440	LICK_Credit_Return.cmd
1440	LICK_Credit_Return.cmd
1440	LICK_Credit_Return.cmd
4720	viyjwgfk.exe
4720	viyjwgfk.exe
4720	viyjwgfk.exe
2656	LICK_Credit_Return.cmd
2656	LICK_Credit_Return.cmd
2656	LICK_Credit_Return.cmd
3852	viyjwgfk.exe
3852	viyjwgfk.exe
3852	viyjwgfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1068	1796	chrome.exe	83
PID 1796 wrote to memory of 1068	1796	chrome.exe	83
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1084	1796	chrome.exe	85
PID 1796 wrote to memory of 1404	1796	chrome.exe	86
PID 1796 wrote to memory of 1404	1796	chrome.exe	86
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87
PID 1796 wrote to memory of 232	1796	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://revolutionforsuccess.com/images/icon/bqiw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b60f9758,0x7ff9b60f9768,0x7ff9b60f9778
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:2
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4472 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=920 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1616 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4948 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5564 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5884 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5408 --field-trial-handle=1860,i,309688578481121434,15257028683101652917,131072 /prefetch:1
  2⤵
  PID:4012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:820

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LICK_Credit_Return\" -ad -an -ai#7zMap5499:98:7zEvent27372
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1252

C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd
"C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4720

C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd
"C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im viyjwgfk.exe /f
  2⤵
  - Kills process with taskkill
  PID:4104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3852

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
305KB

MD5
10f1f7bffc84c96bb3bc2d7c46fa01ab

SHA1
e99917f40711a06d89990f73f1ab85e3bda9b6e1

SHA256
76cf87063aa1afdd338433c7c422cad566fa67b29abc9043ce50add97370e6ab

SHA512
f5aab549ed7ab792c0278e48babd1a52ab401708862190334ed0c2c030a67ffafe9c34bcd61aec81faf3f1ab055ee377b8dbaf2f5970249afbad3d96ca8d6d77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
65KB

MD5
6db490d36265f6da50900e9e6a0a5b1a

SHA1
e9a61e89711b63bd168cf251326109282e5157ae

SHA256
5639c061f3cd6a5c090d25afa87def4d93243d0438197e3ed658ead615c1c82f

SHA512
a2c3a83aee5bdca9192fc6dc232d0ced3103577a911f3332bb00ec1ad545901eedd3f348d1229a2d4504c4f5a771d49ea77e4882a66d8e1c1f4836d0aa478815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
37KB

MD5
519005befdbc6eedc73862996b59a9f7

SHA1
e9bad4dc75c55f583747dbc4abd80a95d5796528

SHA256
603abe3532b1cc1eb1c3da44f3679804dd463d07d4430d55c630aba986b17c44

SHA512
b210b12a78c6134d66b14f46f924ebc95328c10f92bfed22a361b2554eca21ee7892f7d9718ae7415074d753026682903beba2bd40b35a4eeb60bf186dcdf589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
75KB

MD5
8bd9200786eaebfc9b28d1e06c976992

SHA1
fbf90b15f6301ed50269679e237ac230104b289c

SHA256
e7e884570cf3ce19e46e88d881bd59351ce8927a1ab9e9a423c42086892bd5e5

SHA512
40a7662f12aebe1dc6a6b79d0dc65109da003bdccf81225d8c4156a555ca7f2aa3d46940ae6a6f44c36de5d46931ecd68b8603a760e152b741911cca3cc308e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
b346761fe04e400bc1b2f41b4e22683d

SHA1
8d0aedb19e68a4cb562cd4ccf0e490d80acf4074

SHA256
de48bd0ab439992e73783effb1d99b56bbd1e5c48bf708723cdbc245a37743e8

SHA512
7e4d607073c827c7693c8c48786bacf8c55d224bc2c306891778da583e031f7b16f399b958775ee8b727f4aef95d4987cba12abe6c488ba5f4fd8f7499f1ab0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d2e24f80b05cf01544deb53db74c0b57

SHA1
efdb7da5dddc341ccde29bf5f9ceedb03dac351e

SHA256
b637a4a4e39e75f84ab41b5a7a12ca1930c063f3c461b7518909b3af96b7db04

SHA512
c843f28f69f105ab4740d3a7d774a06f3de1afda23c9d88c93e0d96a2446f50c12a7448ea4b7364e2719345670879f889d47d347a7a5927939126b2cd95f005c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
53938b90e1fc7df1af2ac3110af1a0d4

SHA1
8240b43b6ee39620ffc6baa6b54f1e18cc6d06e8

SHA256
f19f0e621bd38ad34bbab8d0e82130fa79e2979b28c1410454cb16d2ac5cc0e1

SHA512
66c8657e38222c62ce687935ce866145923ca6d0c9d4c69a9f33d30c92cb059539e412a64cc996fa8a50ddc9f49de844538e59fed5cf55f825b0e2e055ce03e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b2aa1113b25da9e377fbe11e2e2c83a7

SHA1
5f85558ffa392b7d458f28f865d2e618365d5c67

SHA256
809b82d6e9b3d5f625daba9d73ab3c37d62cb7022c03857054fbf79e5a0f96eb

SHA512
67d9fd7e0a5b3db1be3dbe883fbde610b1545d53cfba6ee1877c6cbbe5db1630afa048e8c99bf49110742d7209b74f7a37baba4afd79eda12b0bb5bc54d678e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5417dbfd35188314797628e987ce8a07

SHA1
37087cc2309c9b8469251305b4f9c51ecfe505eb

SHA256
15665a16bda286787efbf9f000f26d85f9d9228e4134ad9c7ab5d935bf5c5c8b

SHA512
5a99d112049eb69a57164343f24d49d4521822adfa9d7409d89f8a9cbb679523991d68f5f67f735f12a514bdf0df19a6aff74ccefb767eee7d1d3d2c634a30ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
3bbfb51394856f15843317c26d66cdbc

SHA1
ab38a93acfe6caed137a77de856ad5c4a698cbbe

SHA256
538aaee8a1af5b897de3db563d65d4ae46d2e61fbf0639b654159588c6e3a159

SHA512
d5c27537d3a586e7b4b413bbbcf6db8609732d2d71956b977fbf7683d5271ee684317c1daae53f399b079b5b246250d3bbdf107f1ddb0608cdf5d975c0d1c2b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8f92223726fbe730d35568754cd62836

SHA1
c44d011a74e8ce07b8c310b1512f891c3385e210

SHA256
d4d948fb02507a73e4da95dd9dc98b632685daafd8643140a6eb94feb6c8fcca

SHA512
34b2d06c1a69056931b261f3fdd18b8345060364840c78549658c18dc449bbee4f5f23f64727868275f63c7a63a758e16d2bbc894e3e881926168bf8b745a3c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2f68c2258a222c8a6ba08193d3cc4a89

SHA1
d615bf7f16174749a954af45de19e7015d409f57

SHA256
963a37209a2333d03ae6315954c7e69e989b2d34d446d5f08cf9113ff726dc71

SHA512
bf4afead4b71ef08e0cb0fb439bfc2b18171438b7a83bd117f9d11b97e3148adde220649a3ec2dbc0aa3e1b69caa6f734c3245740bf9ebe134a1bb99f33f2b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb9f69d538f2ac6ff3d6f965a3844fd0

SHA1
5d6fc1801ebc173856c70e59927be8342a198d78

SHA256
1c9f945c10b2df72673cec5d17e17e74418519c3d14ea3d76e7afc76de949425

SHA512
34f194708ac593538332bd7e0a486478f978df3a40ff47d1595e355332c05f8fa8f50471cf82bebbc60d8894db6fdbb6a7ab91e22c7535a5c1b60df77e260272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
66a37cfd28eee089b0f6a112aed05bde

SHA1
7f45e3b44a665b1a96f03995ebbd4d89415d0946

SHA256
5c0be311cf3342578645616601cc76c42b2d131ef033a04e46ee5f4c164a2c8f

SHA512
14683d209ebcb0cea550b6a72d42c74910b50791897b7aac038cbbcc8966ea497772b35354fc975459e98b1605d950c4632cd91adefb9bafc21311baca137780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
95cad292427a5f57c67d44150bd5239d

SHA1
cacdd9aa8a1ca19854fe817c55fde239ca38d334

SHA256
6a37dd6486228d4cdde83728fa5d3972dc0aa1d9aaa9e10dabe85f5730d64365

SHA512
6d7a41bf35a3b8d32210d47ef9930fb2593179b5dcabdf29954541d96b2c37baf6ddcaaa42cb78566614770b5cc3aefa5cfbabf7c2ee708c65ca44a48e491498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5b86c0.TMP

Filesize
120B

MD5
f3395a7bcd4f7c09d0744d95bf645409

SHA1
b1f29659136f97699eec92adf22e3c81395d2aa8

SHA256
65d07e587f9b9a75e6ed8bd5be5cee7ccbafaabb25381f6c9c44c4926ff1ba4c

SHA512
cab7019b731114c1557460dd0861fb646f29a7d3a1bafc5a30a280f2e32c54bc991a125cf18a46bb1244f3ca2ec0477f2990ff8530585d4fd405d25019fa9287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
1c079fbf11b8f7b886f8fd45a02d3b7e

SHA1
130d590711a0c41f588979f383148746cfe558d6

SHA256
e81fba96e82144b51f7a59543d8c421ff2d5aaee65b5579e4bd1ef8223f702a6

SHA512
d42a2d06eeaf046f7dfeaa4ad5e702534c6fe03957a2f44fbbaf6dc6b2e2416240890c2c0f80af9c4c3d301343cff3a9fa2100106a64ce7a5efba651e142b9a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
746a09d5b102c010122b9ecfaffae85f

SHA1
c7a738a077ba4f666934e99fc4f33e041c393c5e

SHA256
86fb158b13c74f0dd00ffb35ae25ce16d3fe0b84d6f3fee422514f1799bb272f

SHA512
c175499ebe0b04b169f05b9c7e4180420b7b29a07f3f38ef8592a23cc801693ce357a5876175ae266e9b591986e709c92e9a616bfcac3bfe5793601f04753ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe

Filesize
2.4MB

MD5
3f810c13d21fa903e0e9c9daf93f7a8b

SHA1
17a27b25bbe260ee45b50a181d2c04030238a1a9

SHA256
f9d30714fb0e87894da5d0a690375eb17b66652b0aacd24ba336bb166f9e5efe

SHA512
a031e87037ff964c6612f24eb785515926ddd8b23fa58e313df4ae94a023a60849d92d2f97976c2bc0542f52f15e9eb63fefdddc0d90aa487be36667b45a6e3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe

Filesize
2.4MB

MD5
3f810c13d21fa903e0e9c9daf93f7a8b

SHA1
17a27b25bbe260ee45b50a181d2c04030238a1a9

SHA256
f9d30714fb0e87894da5d0a690375eb17b66652b0aacd24ba336bb166f9e5efe

SHA512
a031e87037ff964c6612f24eb785515926ddd8b23fa58e313df4ae94a023a60849d92d2f97976c2bc0542f52f15e9eb63fefdddc0d90aa487be36667b45a6e3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe

Filesize
2.4MB

MD5
3f810c13d21fa903e0e9c9daf93f7a8b

SHA1
17a27b25bbe260ee45b50a181d2c04030238a1a9

SHA256
f9d30714fb0e87894da5d0a690375eb17b66652b0aacd24ba336bb166f9e5efe

SHA512
a031e87037ff964c6612f24eb785515926ddd8b23fa58e313df4ae94a023a60849d92d2f97976c2bc0542f52f15e9eb63fefdddc0d90aa487be36667b45a6e3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viyjwgfk.exe

Filesize
2.4MB

MD5
3f810c13d21fa903e0e9c9daf93f7a8b

SHA1
17a27b25bbe260ee45b50a181d2c04030238a1a9

SHA256
f9d30714fb0e87894da5d0a690375eb17b66652b0aacd24ba336bb166f9e5efe

SHA512
a031e87037ff964c6612f24eb785515926ddd8b23fa58e313df4ae94a023a60849d92d2f97976c2bc0542f52f15e9eb63fefdddc0d90aa487be36667b45a6e3a

Download Submit
C:\Users\Admin\Downloads\LICK_Credit_Return.zip

Filesize
2.1MB

MD5
4261b42e1eaffa7607790a3a5d4ea192

SHA1
df3806181de61412307a8aea4804614628740915

SHA256
36a28f5eebc2c87b065ba1ff1ded73b25a4f8e0f55aaff21179baac6cd15c4d8

SHA512
6319d71b281d0a9239d3081ef0b83a3e18c82256077d723d63e86ed25fceedb441b6fab5d0c50afc88811be594eeaaaf8f399294f7d0796be50268745b1464a2

Download Submit
C:\Users\Admin\Downloads\LICK_Credit_Return.zip.crdownload

Filesize
2.1MB

MD5
4261b42e1eaffa7607790a3a5d4ea192

SHA1
df3806181de61412307a8aea4804614628740915

SHA256
36a28f5eebc2c87b065ba1ff1ded73b25a4f8e0f55aaff21179baac6cd15c4d8

SHA512
6319d71b281d0a9239d3081ef0b83a3e18c82256077d723d63e86ed25fceedb441b6fab5d0c50afc88811be594eeaaaf8f399294f7d0796be50268745b1464a2

Download Submit
C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd

Filesize
2.4MB

MD5
3f810c13d21fa903e0e9c9daf93f7a8b

SHA1
17a27b25bbe260ee45b50a181d2c04030238a1a9

SHA256
f9d30714fb0e87894da5d0a690375eb17b66652b0aacd24ba336bb166f9e5efe

SHA512
a031e87037ff964c6612f24eb785515926ddd8b23fa58e313df4ae94a023a60849d92d2f97976c2bc0542f52f15e9eb63fefdddc0d90aa487be36667b45a6e3a

Download Submit
C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd

Filesize
2.4MB

MD5
3f810c13d21fa903e0e9c9daf93f7a8b

SHA1
17a27b25bbe260ee45b50a181d2c04030238a1a9

SHA256
f9d30714fb0e87894da5d0a690375eb17b66652b0aacd24ba336bb166f9e5efe

SHA512
a031e87037ff964c6612f24eb785515926ddd8b23fa58e313df4ae94a023a60849d92d2f97976c2bc0542f52f15e9eb63fefdddc0d90aa487be36667b45a6e3a

Download Submit
C:\Users\Admin\Downloads\LICK_Credit_Return\LICK_Credit_Return.cmd

Filesize
2.4MB

MD5
3f810c13d21fa903e0e9c9daf93f7a8b

SHA1
17a27b25bbe260ee45b50a181d2c04030238a1a9

SHA256
f9d30714fb0e87894da5d0a690375eb17b66652b0aacd24ba336bb166f9e5efe

SHA512
a031e87037ff964c6612f24eb785515926ddd8b23fa58e313df4ae94a023a60849d92d2f97976c2bc0542f52f15e9eb63fefdddc0d90aa487be36667b45a6e3a

Download Submit