kutaki | hxxps://ucb97db0771cc6db92965a2d607a[.]dl[.]dropboxusercontent[.]com/cd/0/get/CDQciDmPCyFi69LYz5ZBKaG_sy3MRbRP3zn0TgDfVH01UBlplye7eXHQu_lMfUMT_7csbTvVs2Yl18AZQ8CPirCbdaISl13atqhBvV3w7tBlH3-ppY3ZGOuxnsIZ9TAr7_Ie-AYWXlaI6AbcuSjJE8oV/file?dl=1#

Analysis

max time kernel
600s
max time network
489s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2023 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ucb97db0771cc6db92965a2d607a.dl.dropboxusercontent.com/cd/0/get/CDQciDmPCyFi69LYz5ZBKaG_sy3MRbRP3zn0TgDfVH01UBlplye7eXHQu_lMfUMT_7csbTvVs2Yl18AZQ8CPirCbdaISl13atqhBvV3w7tBlH3-ppY3ZGOuxnsIZ9TAr7_Ie-AYWXlaI6AbcuSjJE8oV/file?dl=1#

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 4 IoCs

Processes:

HDFC_Copy.batHDFC_Copy.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe	HDFC_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe	HDFC_Copy.bat
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe	HDFC_Copy.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe	HDFC_Copy.bat

Executes dropped EXE 4 IoCs

Processes:

HDFC_Copy.batdvgzjmfk.exeHDFC_Copy.batdvgzjmfk.exe

pid process

392 HDFC_Copy.bat
4444 dvgzjmfk.exe
1544 HDFC_Copy.bat
1852 dvgzjmfk.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{95F1ED1F-16D8-4896-9F21-71AA838D0FAB}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3040 taskkill.exe

pid	process
3040	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133385542819631733"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings chrome.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3724 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1124 chrome.exe
1124 chrome.exe
2896 chrome.exe
2896 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1124 chrome.exe
1124 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings	chrome.exe

pid	process
3724	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe
Token: SeShutdownPrivilege	1124	chrome.exe
Token: SeCreatePagefilePrivilege	1124	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe7zG.exe

pid	process
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
4180	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

HDFC_Copy.batdvgzjmfk.exeHDFC_Copy.batdvgzjmfk.exe

pid	process
392	HDFC_Copy.bat
392	HDFC_Copy.bat
392	HDFC_Copy.bat
4444	dvgzjmfk.exe
4444	dvgzjmfk.exe
4444	dvgzjmfk.exe
1544	HDFC_Copy.bat
1544	HDFC_Copy.bat
1544	HDFC_Copy.bat
1852	dvgzjmfk.exe
1852	dvgzjmfk.exe
1852	dvgzjmfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1124 wrote to memory of 532	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 532	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3008	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 2464	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 2464	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe
PID 1124 wrote to memory of 3280	1124	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ucb97db0771cc6db92965a2d607a.dl.dropboxusercontent.com/cd/0/get/CDQciDmPCyFi69LYz5ZBKaG_sy3MRbRP3zn0TgDfVH01UBlplye7eXHQu_lMfUMT_7csbTvVs2Yl18AZQ8CPirCbdaISl13atqhBvV3w7tBlH3-ppY3ZGOuxnsIZ9TAr7_Ie-AYWXlaI6AbcuSjJE8oV/file?dl=1#
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c33e9758,0x7ff9c33e9768,0x7ff9c33e9778
2⤵
PID:532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:2
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:8
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:8
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:1
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:1
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:8
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2808 --field-trial-handle=1888,i,2947820866724767002,3437633607959950024,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2868:80:7zEvent2325
1⤵
- Suspicious use of FindShellTrayWindow
PID:4180

C:\Users\Admin\Downloads\HDFC_Copy.bat
"C:\Users\Admin\Downloads\HDFC_Copy.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:3772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Users\Admin\Downloads\HDFC_Copy.bat
"C:\Users\Admin\Downloads\HDFC_Copy.bat"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:1028

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dvgzjmfk.exe /f
2⤵
- Kills process with taskkill
PID:3040

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\HDFC_Copy.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
88e37dff805fb2d445b86f5c9fec690f

SHA1
be36b9e2b2efdda0efd79533da4bac227c037e06

SHA256
456f36e770b480ecba2b1cfe4d09fe0121cd6f552d2c78621fbbba3f9a349e91

SHA512
a28d8024efc2fd66b058187f7108811b12ba39ba996139191f8a3d8776f2fa85f55a5ce4dd0f75b04b3f9acc7011ac35959bedd4a785aa3150cf2709ed6947b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
07b049de601397829cb0eaf49cd283a5

SHA1
66ecea50c36501c91ab7e20aa99450b85734dd75

SHA256
ead2c19edae04c745b3435cd5ef13777a2be21b0b11772263cc2ac7d88795fdc

SHA512
019298cf122b6293fa4b8fc77ecc8ed3f28020c6ebb4052853f1cd1b7676886264cd9cd4526022e06152c26b90f0e234eddea93426e7734bb923ae16ef13d8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
46ec0c09b6db99683385f0e1d65fca28

SHA1
056427ac6f6cf108ab1e711d63a4ed6fd24ce061

SHA256
5cb283b1edb68ea60a7c976533f5736ff6b4bd255eac55644cd4f6ccd3b6c46d

SHA512
afc8ab26e492146e7d337722246f8207549b542ed82d996e311b44dcff888e2081c9fdbd86fdd9932da43752fa5e797a06d06ebfbe225d6df3bbf9f1e2322e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
1a1cd2fb324e0b895508f1a731a2dcbb

SHA1
830c3d93c6a599c42ad8bc2d3cd833520b808461

SHA256
c04ed514f9149966d4583c9fd0aa2c01616ec8103269c55e1b9958beb562452d

SHA512
a4c3dc886d71ebd1d6754e25cfd6ca86855e6d2121f36e1fc82d34a38287a90a5809f8820f76e068fb8ec66b0bde0a5d912af58738ae0dbe18ea574f8a54e174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
d16e0f7c333dd48feee0f1000e143a12

SHA1
2fdc5840ce987831796038206d63bd2109444c53

SHA256
745198108da1b2a8572f9887dbed92e55296da10dd1e092c865424a0fee9fd19

SHA512
01e9a999864fee420f05d2b4042983b42318e9db6d98ebc5a595f41d32940eec5a21cdcb411ec171dd70c7d7bc5afa94603e97cccf4601172f99356f378d0189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f9c773617dfd9c003d8a8c520e3c172e

SHA1
b067a853ce93d65c6b3f5efd7317cb4170734380

SHA256
6ff06d9f4ed589e26ece406b0c129099e1808d6c635f0333b4594adc43b32e75

SHA512
23158b1adcfc7be5fc0d6e6ed7fbcf8672047bd83c24fd64e48b9e8aa37df4b2460dbe2754434f78faef844908a18a910674bc251748153299bd56f975915994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
a5425827215dcd0254f6bf703e0223d2

SHA1
c2cf934a6e945880e020f20cefe2073e267d4509

SHA256
75f2598efb0856a9e20fbf83f2c0a8d320fdf1bb941a5b5cf6699b5848b652ef

SHA512
18277b93fd1614abf1b95f0985a6c25e48645c25a10c2f6b3b94ff5869ade8d29eb92d0b3dbf74b400e16aa5abfaa1cb04e314598bc82e001471fd2660d32be1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
97KB

MD5
d8ac3a5589f7c28a3449e6180d28f4ac

SHA1
342b6257148764c4a770f1c27482f86dea407562

SHA256
fdb21e8d96cc0d7d46dcd98d1fcbdc0c46ae5556960b9b06ffb4d50f595960ef

SHA512
2b2a92862cb8b09b60257841bc12c08e5940fc2c4d0f53a10142f57d579eee2a867f52f7b8a2914d98da11f1c2f943bf4cf610201e30c52cc5d5654fa8398dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe
Filesize
2.3MB

MD5
f69fee063def953ac8279c64841fee0b

SHA1
45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77

SHA256
a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b

SHA512
42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe
Filesize
2.3MB

MD5
f69fee063def953ac8279c64841fee0b

SHA1
45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77

SHA256
a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b

SHA512
42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe
Filesize
2.3MB

MD5
f69fee063def953ac8279c64841fee0b

SHA1
45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77

SHA256
a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b

SHA512
42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvgzjmfk.exe
Filesize
2.3MB

MD5
f69fee063def953ac8279c64841fee0b

SHA1
45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77

SHA256
a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b

SHA512
42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354

Download Submit
C:\Users\Admin\Downloads\HDFC_Copy.bat
Filesize
2.3MB

MD5
f69fee063def953ac8279c64841fee0b

SHA1
45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77

SHA256
a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b

SHA512
42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354

Download Submit
C:\Users\Admin\Downloads\HDFC_Copy.bat
Filesize
2.3MB

MD5
f69fee063def953ac8279c64841fee0b

SHA1
45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77

SHA256
a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b

SHA512
42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354

Download Submit
C:\Users\Admin\Downloads\HDFC_Copy.bat
Filesize
2.3MB

MD5
f69fee063def953ac8279c64841fee0b

SHA1
45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77

SHA256
a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b

SHA512
42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354

Download Submit
C:\Users\Admin\Downloads\HDFC_Copy.zip
Filesize
2.1MB

MD5
d815f131ec754c4e872358a0fc8f175a

SHA1
3d8298dda7cee2d318926cdce1f153bb704c26e4

SHA256
8077016cb0e6290e1132887f46763062fead26b3b8ad1ae845511d0e65670181

SHA512
e27db2e829597af7b3d9786e754902b98b0914ee8c93cbe3709a781ffe8410d22e1b5ebddbadca1581c3edacc3f36bb130f5cfb8041cdd88fa110441212c4df4

Download Submit
\??\pipe\crashpad_1124_CWLESNCVWPFMFRNG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit