Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

TSD.exe

windows7-x64

10

TSD.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2023, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TSD.exe

  • Size

    649KB

  • MD5

    2574234ccd8503284e9d4d910e39e132

  • SHA1

    aa7943ef2c8979d4daf653b056649a5dff0718c0

  • SHA256

    8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c

  • SHA512

    e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7

  • SSDEEP

    12288:B6UaeOpx41/an46A9jmP/uhu/yMS08CkntxYRML:kLeza4fmP/UDMS08Ckn3z

Score
10/10
kutakikeyloggerstealer

Malware Config

Extracted

Family

kutaki

C2

http://linkwotowoto.club/new/two.php

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

    stealerkeyloggerkutaki
  • Kutaki Executable 4 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TSD.exe
    "C:\Users\Admin\AppData\Local\Temp\TSD.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapimage.bmp
      2⤵
        PID:1428
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:760
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe
      Filesize

      649KB

      MD5

      2574234ccd8503284e9d4d910e39e132

      SHA1

      aa7943ef2c8979d4daf653b056649a5dff0718c0

      SHA256

      8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c

      SHA512

      e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe
      Filesize

      649KB

      MD5

      2574234ccd8503284e9d4d910e39e132

      SHA1

      aa7943ef2c8979d4daf653b056649a5dff0718c0

      SHA256

      8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c

      SHA512

      e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe
      Filesize

      649KB

      MD5

      2574234ccd8503284e9d4d910e39e132

      SHA1

      aa7943ef2c8979d4daf653b056649a5dff0718c0

      SHA256

      8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c

      SHA512

      e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puonqefk.exe
      Filesize

      649KB

      MD5

      2574234ccd8503284e9d4d910e39e132

      SHA1

      aa7943ef2c8979d4daf653b056649a5dff0718c0

      SHA256

      8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c

      SHA512

      e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7

      Download Submit

    • memory/760-98-0x0000000003200000-0x0000000003CBA000-memory.dmp

      Filesize

      10.7MB

      Download

    • memory/1428-117-0x0000000000420000-0x0000000000422000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1580-118-0x00000000001A0000-0x00000000001A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1580-119-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1580-120-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download