kutaki | hxxp://smartechinfosystems[.]in/images/assh

Analysis

max time kernel
1199s
max time network
1145s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2023 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://smartechinfosystems.in/images/assh

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

Payment_Copy.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbukdgfk.exe	Payment_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbukdgfk.exe	Payment_Copy.bat

Executes dropped EXE 1 IoCs

Processes:

jbukdgfk.exe

pid process

4388 jbukdgfk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4388	jbukdgfk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133382469631917939"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings chrome.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4080 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2868 chrome.exe
2868 chrome.exe
1736 chrome.exe
1736 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2868 chrome.exe
2868 chrome.exe
2868 chrome.exe
2868 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings	chrome.exe

pid	process
4080	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exe

pid	process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Payment_Copy.batjbukdgfk.exe

pid process

1596 Payment_Copy.bat
1596 Payment_Copy.bat
1596 Payment_Copy.bat
4388 jbukdgfk.exe
4388 jbukdgfk.exe
4388 jbukdgfk.exe

pid	process
1596	Payment_Copy.bat
1596	Payment_Copy.bat
1596	Payment_Copy.bat
4388	jbukdgfk.exe
4388	jbukdgfk.exe
4388	jbukdgfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2868 wrote to memory of 1892	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 1892	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 2508	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4288	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4288	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe
PID 2868 wrote to memory of 4984	2868	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://smartechinfosystems.in/images/assh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffebe19758,0x7fffebe19768,0x7fffebe19778
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:2
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:8
2⤵
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2744 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:1
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2736 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:1
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:8
2⤵
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=884 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=748 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4992 --field-trial-handle=1252,i,16594298675376191297,11880723781703391999,131072 /prefetch:1
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1140

C:\Users\Admin\Downloads\Payment_Copy\Payment_Copy\Payment_Copy.bat
"C:\Users\Admin\Downloads\Payment_Copy\Payment_Copy\Payment_Copy.bat"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbukdgfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbukdgfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Payment_Copy\Payment_Copy\Payment_Copy.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\127e5d92-8008-43f5-b684-2251e6b6df11.tmp
Filesize
110KB

MD5
a4831655d57f198bcedcc3145e715167

SHA1
fa6010154c64590aed6415744c77ceef0be72bd5

SHA256
84231753e3bc72ac3d91f3e43941258a61924d9469772d6b08a31d2d40cff2b1

SHA512
0c7705fb4558f65c99c2dce7200a72805146405a6dbece82c511191c528761b11dce63eb1b39a0589efa9c1a7072f0c36f0bd63d59babd3b1a916e6c522fb2fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1e5c2aa8e361e8d8c0511e6f5d76a446

SHA1
14eedaea1b90008f1818e517b2b308c1e3ebf44e

SHA256
c8e1d967712a9c1719811f7fd18be0b77aef9e48a1e2dd952056e981c1f7ebb5

SHA512
2c2f2ceae861aae635ca61ea806558f27d8204307ed81677c035cdeca74a720e85331a4db808362e38c5806dcd9b87de7d26f71b63e8566258bf4f89f07ff3d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d77a55f4cf27bf1f1e05697a8c910660

SHA1
3901c84f8fc07640760f9858826a176195e0fd2a

SHA256
8dd60c6443fa7aa8f30252445f43a89a5832ac65faf6b1ff58b0a7ef867f3bbe

SHA512
85b5eea2d2970b079c31fbecd6d8fbf3b57ff1054dedf58c2e1f60c7f8a70d7874b9fe53f5c3c91a58b5112c3d6056c251db203a37e8e4906513558e923bc20a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
97KB

MD5
9bcaf9caa957702d579a47c741338b12

SHA1
e00fefa2cd3e0fdbac7c64f6d4c1967021cafe98

SHA256
aa49378e28e6bef24fdefd1900efdfa3d9b60dee910d0bf52ede5016cefe4f01

SHA512
5d3c150c8e813fb106af435917228caba28007c40e4d50e13e3465086e3ad790aa44f599c2c04d8bde89fb9633041d96cee6ef03eabd01cc7a65fb2944127f7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
97KB

MD5
18a3170136ffb5ac0a0be39baf15a06a

SHA1
c9cf93325a49df05e77511813622a910d6b86b5c

SHA256
737926a96211a5372ba6a9969d5484710b32cb3c59f86e1f28b1f0ab3af623dc

SHA512
e43c567d740142c727fdd8feb04d250604ae731c2a97df4898c68ef15b19fff3e0176c264068978b62d8bb40c0f3571fbd351f424f2ad459df023137559f38ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5980ee.TMP
Filesize
106KB

MD5
26ac24136f579bc0458ac5901b1cdc94

SHA1
9c8b65d942c6d5bd137bf3a390aff798cd6b8721

SHA256
1eff891d3fee4aec502747babefe6f645fa5b6f9f7202c9030f5d89d92b3c067

SHA512
e489e361085d35862900d566409cc7b207d1bd8f94259340c106ec702a9f2b95341855fa536cc8f239247493b9eb68819cbac186643c69c21669d161fa6ca01a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbukdgfk.exe
Filesize
2.3MB

MD5
c591b0acc0df2406355e774f173e815d

SHA1
c6a7d9c4bedf6fee2c142ac5d192c72ff2f2e0af

SHA256
1cd39cb40659f2a2fc0c379cdc87c2150fa3f7421d7760930677d6e9ba6c9dda

SHA512
f11f9df649f9d4cafdb750d8276f555773e26c657183d34b27bb284522b017e207b67950ab4f282a2f0e859b416183623db937abc028f429161de8fd10c646e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jbukdgfk.exe
Filesize
2.3MB

MD5
c591b0acc0df2406355e774f173e815d

SHA1
c6a7d9c4bedf6fee2c142ac5d192c72ff2f2e0af

SHA256
1cd39cb40659f2a2fc0c379cdc87c2150fa3f7421d7760930677d6e9ba6c9dda

SHA512
f11f9df649f9d4cafdb750d8276f555773e26c657183d34b27bb284522b017e207b67950ab4f282a2f0e859b416183623db937abc028f429161de8fd10c646e2

Download Submit
C:\Users\Admin\Downloads\Payment_Copy.zip.crdownload
Filesize
2.1MB

MD5
4f75fcc3c86996544f0f83fef7aa3337

SHA1
1d70114e29de616e943bb5e9be66fefa2905c8fa

SHA256
8ce13d0e37be82bdefcc6f8ab5433bb335ebd9f2e3632d5cf6c339474cde197e

SHA512
ef07c893da64c9c270f582dc38f6803554a104adfb163418a5f09b394dc1d282ce5cae4f5c4099574a4bf487dc95c828f5688f7cbda3d22daf810316c5ed0f44

Download Submit