kutaki | hxxp://raagamayuribuilders[.]in/jastef

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2023 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://raagamayuribuilders.in/jastef

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 6 IoCs

Processes:

NEFT_Copy.batNEFT_Copy.batNEFT_Copy.bat

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe	NEFT_Copy.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe	NEFT_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe	NEFT_Copy.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe	NEFT_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe	NEFT_Copy.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe	NEFT_Copy.bat

Executes dropped EXE 3 IoCs

Processes:

doebvyfk.exedoebvyfk.exedoebvyfk.exe

pid process

3220 doebvyfk.exe
368 doebvyfk.exe
2732 doebvyfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3220	doebvyfk.exe
368	doebvyfk.exe
2732	doebvyfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4196 taskkill.exe
4716 taskkill.exe

pid	process
4196	taskkill.exe
4716	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133379354389962204"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

872 chrome.exe
872 chrome.exe
5020 chrome.exe
5020 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

872 chrome.exe
872 chrome.exe
872 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

NEFT_Copy.batdoebvyfk.exeNEFT_Copy.batdoebvyfk.exeNEFT_Copy.batdoebvyfk.exe

pid	process
1288	NEFT_Copy.bat
1288	NEFT_Copy.bat
1288	NEFT_Copy.bat
3220	doebvyfk.exe
3220	doebvyfk.exe
3220	doebvyfk.exe
3568	NEFT_Copy.bat
3568	NEFT_Copy.bat
3568	NEFT_Copy.bat
368	doebvyfk.exe
368	doebvyfk.exe
368	doebvyfk.exe
4816	NEFT_Copy.bat
4816	NEFT_Copy.bat
4816	NEFT_Copy.bat
2732	doebvyfk.exe
2732	doebvyfk.exe
2732	doebvyfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 872 wrote to memory of 1004	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 1004	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 3052	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4480	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4480	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe
PID 872 wrote to memory of 4896	872	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://raagamayuribuilders.in/jastef
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff854119758,0x7ff854119768,0x7ff854119778
2⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:2
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:8
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:1
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:8
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1896,i,1026147351413649714,8547459397342868768,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:2220

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:924

C:\Windows\SysWOW64\taskkill.exe
taskkill /im doebvyfk.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:368

C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_NEFT_Copy.zip\NEFT_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:3624

C:\Windows\SysWOW64\taskkill.exe
taskkill /im doebvyfk.exe /f
2⤵
- Kills process with taskkill
PID:4716

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1009B

MD5
941bd264c7dac946943bdb811593fb6b

SHA1
b3fbb068bd73fd6fee9ffe724270e9eb737f9e88

SHA256
03c5737ec659734b5decae1d863daa1fafb96f0289ad81456cd7eb21436c1797

SHA512
6ad83c0c11b92c94df703d73f0109b3f9ca3bd6b9c1584c1bbb37e40c2334b541ad7fa992a4870dd0f6c58a11f1baaf7513f1be1d077d151c23fb39a94b38071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
701B

MD5
07331166c591916a28ad34e7f6c7a7e4

SHA1
548acfc8243bdac6434cfb56f6795bc5c86a0965

SHA256
41b2ad4d82fc3939e6aa0bda889bf03217b34229367dbc604acfaf4fee017cc3

SHA512
40939b06960681e71aaaffb4b02ba159ef5d74141844da1f74678441bc1bc73e4bc4ce33dd670e9547e7dd4e025266411b2d2f5672056f240164d95e91c038db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
55202f68b8ee3b82755b1dc79b6376c3

SHA1
db74b9614292112a81a69292f250d25630c231ee

SHA256
b421766edd7e4e8c13a95a7cdeaa435adcb8764d0fb53a73e819d838dc171a87

SHA512
42f8fdd206360638d2d462d3e1bcebfaeb4ba2088ce547cac2e0e1249b4207a59c27878ee55c3f0fddae2fbee22e89bc1758dc4efeb32524d52bee48a17bc01e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
87KB

MD5
88f19bfd25f279462c2e4729f395bc4c

SHA1
2a8592f9fa2433cb00752116581d87a74c3c2cab

SHA256
b6d0d17f9ffe7c2494e8a158f9b8c06b4a951e1f405b8464c10d5d55d440b9db

SHA512
3e70eb80ea511ee51c956eb353a3a670d3fa3686c307c8fc191f8d5a9c3b9f8fef00b313b5b2bdb63d98c96b1223b2cc7fc8e5c7f2b71acfbcaa05254cc1bdf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doebvyfk.exe
Filesize
2.3MB

MD5
9c153ac25f02739019b04b0a8ce82c4b

SHA1
64136c4238d140a6fb1ec542744ff90aba5bac09

SHA256
83269040e4f510f11a327807b23dda45d98386676fc309e27b3eebd9cefa8416

SHA512
a7a9bb1eee5470bb4939d61df33c3840fe69e8503e792d474d7fa273f4c77dd42c84a8e6bdd78b3b157b7aadada401c903e46d3237fa5fcfa6f7b27c477bb4de

Download Submit
C:\Users\Admin\Downloads\NEFT_Copy.zip.crdownload
Filesize
2.1MB

MD5
d0f2c2de0407cefe7a24c8eb22237a61

SHA1
a46ba89e46a3d04fd9c919837441625ddaa4febe

SHA256
23d3f3b9c74b6707db237bdfa797d7425f18938614051ddb633712a42e7f3c96

SHA512
c59e010a958a1f714bd064592d6b0f26619b2efc879a1b8496d6132a598aa5edddec2e6537c34b1944893926f7664a989bf8df752f8bfffeabae4d3f7fbfb3e3

Download Submit
\??\pipe\crashpad_872_ZEQUIHPOGAOTPUFN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit