kutaki | 91b554f66c4b9cf1d09d6ec7b5ad10b735fa0aa0bcc7bc91fc96b82c2e481b41

Analysis

max time kernel
63s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-06-2023 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tax Payment Challan.exe
Size

650KB
MD5

f236ef2812755f787b852acd19655592
SHA1

5a3678b093a0dddf8bdd47be635a7c4bba97725b
SHA256

6cc89c4ee5308a2c40874f02f8f636bf77133c0b1bc59df8e806fda5e509424a
SHA512

61e5f17cc2463b1c57385c4925a82b6fb5c7ea4898e29d45c20d3953ec7059dba466038881b70a2a0f29dee936107aced84939d695718d129a8b87dffa802174
SSDEEP

12288:16UaeOpx41/ai46A9jmP/uhu/yMS08CkntxYRAAL:ALezaNfmP/UDMS08Ckn3K

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b00000001232e-58.dat	family_kutaki
behavioral1/files/0x000b00000001232e-60.dat	family_kutaki
behavioral1/files/0x000b00000001232e-62.dat	family_kutaki
behavioral1/files/0x000b00000001232e-64.dat	family_kutaki

Drops startup file 2 IoCs

Processes:

Tax Payment Challan.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe	Tax Payment Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe	Tax Payment Challan.exe

Executes dropped EXE 1 IoCs

Processes:

wokunkfk.exe

pid	Process
648	wokunkfk.exe

Loads dropped DLL 2 IoCs

Processes:

Tax Payment Challan.exe

pid	Process
1468	Tax Payment Challan.exe
1468	Tax Payment Challan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid	Process
924	DllHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Tax Payment Challan.exewokunkfk.exe

pid	Process
1468	Tax Payment Challan.exe
1468	Tax Payment Challan.exe
1468	Tax Payment Challan.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe
648	wokunkfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Tax Payment Challan.exe

description	pid	Process	procid_target
PID 1468 wrote to memory of 1304	1468	Tax Payment Challan.exe	28
PID 1468 wrote to memory of 1304	1468	Tax Payment Challan.exe	28
PID 1468 wrote to memory of 1304	1468	Tax Payment Challan.exe	28
PID 1468 wrote to memory of 1304	1468	Tax Payment Challan.exe	28
PID 1468 wrote to memory of 648	1468	Tax Payment Challan.exe	30
PID 1468 wrote to memory of 648	1468	Tax Payment Challan.exe	30
PID 1468 wrote to memory of 648	1468	Tax Payment Challan.exe	30
PID 1468 wrote to memory of 648	1468	Tax Payment Challan.exe	30

C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  PID:1304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:648

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe

Filesize
650KB

MD5
f236ef2812755f787b852acd19655592

SHA1
5a3678b093a0dddf8bdd47be635a7c4bba97725b

SHA256
6cc89c4ee5308a2c40874f02f8f636bf77133c0b1bc59df8e806fda5e509424a

SHA512
61e5f17cc2463b1c57385c4925a82b6fb5c7ea4898e29d45c20d3953ec7059dba466038881b70a2a0f29dee936107aced84939d695718d129a8b87dffa802174

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe

Filesize
650KB

MD5
f236ef2812755f787b852acd19655592

SHA1
5a3678b093a0dddf8bdd47be635a7c4bba97725b

SHA256
6cc89c4ee5308a2c40874f02f8f636bf77133c0b1bc59df8e806fda5e509424a

SHA512
61e5f17cc2463b1c57385c4925a82b6fb5c7ea4898e29d45c20d3953ec7059dba466038881b70a2a0f29dee936107aced84939d695718d129a8b87dffa802174

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe

Filesize
650KB

MD5
f236ef2812755f787b852acd19655592

SHA1
5a3678b093a0dddf8bdd47be635a7c4bba97725b

SHA256
6cc89c4ee5308a2c40874f02f8f636bf77133c0b1bc59df8e806fda5e509424a

SHA512
61e5f17cc2463b1c57385c4925a82b6fb5c7ea4898e29d45c20d3953ec7059dba466038881b70a2a0f29dee936107aced84939d695718d129a8b87dffa802174

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wokunkfk.exe

Filesize
650KB

MD5
f236ef2812755f787b852acd19655592

SHA1
5a3678b093a0dddf8bdd47be635a7c4bba97725b

SHA256
6cc89c4ee5308a2c40874f02f8f636bf77133c0b1bc59df8e806fda5e509424a

SHA512
61e5f17cc2463b1c57385c4925a82b6fb5c7ea4898e29d45c20d3953ec7059dba466038881b70a2a0f29dee936107aced84939d695718d129a8b87dffa802174

Download Submit
memory/924-117-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/924-118-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/924-119-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1304-116-0x0000000002010000-0x0000000002012000-memory.dmp

Filesize
8KB

Download