kutaki | 20388de158b5abaa0ae68b849318ed2132a87e0526ba07ebd163dd176f76f136

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TSD.exe
Size

649KB
MD5

2574234ccd8503284e9d4d910e39e132
SHA1

aa7943ef2c8979d4daf653b056649a5dff0718c0
SHA256

8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c
SHA512

e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7
SSDEEP

12288:B6UaeOpx41/an46A9jmP/uhu/yMS08CkntxYRML:kLeza4fmP/UDMS08Ckn3z

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000600000002314a-138.dat	family_kutaki
behavioral2/files/0x000600000002314a-139.dat	family_kutaki

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkogkifk.exe	TSD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkogkifk.exe	TSD.exe

Executes dropped EXE 1 IoCs

pid	Process
4184	bkogkifk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3912	mspaint.exe
3912	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5088	TSD.exe
5088	TSD.exe
5088	TSD.exe
4184	bkogkifk.exe
4184	bkogkifk.exe
4184	bkogkifk.exe
3912	mspaint.exe
3912	mspaint.exe
3912	mspaint.exe
3912	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2356	5088	TSD.exe	81
PID 5088 wrote to memory of 2356	5088	TSD.exe	81
PID 5088 wrote to memory of 2356	5088	TSD.exe	81
PID 5088 wrote to memory of 4184	5088	TSD.exe	83
PID 5088 wrote to memory of 4184	5088	TSD.exe	83
PID 5088 wrote to memory of 4184	5088	TSD.exe	83
PID 2356 wrote to memory of 3912	2356	cmd.exe	84
PID 2356 wrote to memory of 3912	2356	cmd.exe	84
PID 2356 wrote to memory of 3912	2356	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\TSD.exe
"C:\Users\Admin\AppData\Local\Temp\TSD.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapimage.bmp
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapimage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3912
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkogkifk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkogkifk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkogkifk.exe

Filesize
649KB

MD5
2574234ccd8503284e9d4d910e39e132

SHA1
aa7943ef2c8979d4daf653b056649a5dff0718c0

SHA256
8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c

SHA512
e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkogkifk.exe

Filesize
649KB

MD5
2574234ccd8503284e9d4d910e39e132

SHA1
aa7943ef2c8979d4daf653b056649a5dff0718c0

SHA256
8be47965011a00d57e60ab3b16c89fabb9cfc3b4e9330044853711fa4166617c

SHA512
e9ac30e44040e375f1394a2b8ab8a8c113b1e94119d328e2730e85c1b5a2bf3ac731f91dc68eca4cae8722109b04193f228fc0433e40bc57fadc6fc78ecdcbe7

Download Submit