Resubmissions

30-11-2023 09:42

231130-lpvqbaad4s 10

30-11-2023 09:21

231130-lbg73aaa85 10

Analysis

  • max time kernel
    71s
  • max time network
    73s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-11-2023 09:21

General

  • Target

    http://doctor-fateev.ru/NEFT%20RECEIPT.zip

Malware Config

Extracted

Family

kutaki

C2

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Drops file in Windows directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "http://doctor-fateev.ru/NEFT%20RECEIPT.zip"
    1⤵
      PID:4188
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:204
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • NTFS ADS
      PID:1628
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1840
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3500
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3716
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4912
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4480
    • C:\Windows\System32\PickerHost.exe
      C:\Windows\System32\PickerHost.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3612
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\NEFT RECEIPT\" -spe -an -ai#7zMap13684:82:7zEvent14999
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4880
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2068
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\NEFT RECEIPT\NEFT RECEIPT\" -spe -an -ai#7zMap4276:108:7zEvent12624
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4268
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\NEFT RECEIPT\NEFT RECEIPT\NEFT RECEIPT.bat"
        1⤵
          PID:4748

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SDCQCGG5\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O6KRVNG8\NEFT%20RECEIPT[1].zip

          Filesize

          2.1MB

          MD5

          d259d10134ce1f45df757051b2b1accb

          SHA1

          c4c4260ae42e0522fab0d5696631fcfc0a2c665a

          SHA256

          3e32fbdd6075589abb8619e1b1a95058a01d62750525dae10a89ea8112e16e0b

          SHA512

          7c2df714593559bb417b7d95dc525ea096d8e49764ffb59b26e438ab65a3f467c8868db561100df21c0ca85a0559138ee304146bb433fd2b6d101cc7c3b1c34a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFDEDB3D16012CDAEA.TMP

          Filesize

          24KB

          MD5

          d3cdb7663712ddb6ef5056c72fe69e86

          SHA1

          f08bf69934fb2b9ca0aba287c96abe145a69366c

          SHA256

          3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15

          SHA512

          c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O6KRVNG8\NEFT%20RECEIPT[1].zip

          Filesize

          2.1MB

          MD5

          d259d10134ce1f45df757051b2b1accb

          SHA1

          c4c4260ae42e0522fab0d5696631fcfc0a2c665a

          SHA256

          3e32fbdd6075589abb8619e1b1a95058a01d62750525dae10a89ea8112e16e0b

          SHA512

          7c2df714593559bb417b7d95dc525ea096d8e49764ffb59b26e438ab65a3f467c8868db561100df21c0ca85a0559138ee304146bb433fd2b6d101cc7c3b1c34a

        • C:\Users\Admin\Desktop\NEFT RECEIPT.zip

          Filesize

          2.1MB

          MD5

          d259d10134ce1f45df757051b2b1accb

          SHA1

          c4c4260ae42e0522fab0d5696631fcfc0a2c665a

          SHA256

          3e32fbdd6075589abb8619e1b1a95058a01d62750525dae10a89ea8112e16e0b

          SHA512

          7c2df714593559bb417b7d95dc525ea096d8e49764ffb59b26e438ab65a3f467c8868db561100df21c0ca85a0559138ee304146bb433fd2b6d101cc7c3b1c34a

        • C:\Users\Admin\Desktop\NEFT RECEIPT.zip.2zzbqu1.partial

          Filesize

          2.1MB

          MD5

          d259d10134ce1f45df757051b2b1accb

          SHA1

          c4c4260ae42e0522fab0d5696631fcfc0a2c665a

          SHA256

          3e32fbdd6075589abb8619e1b1a95058a01d62750525dae10a89ea8112e16e0b

          SHA512

          7c2df714593559bb417b7d95dc525ea096d8e49764ffb59b26e438ab65a3f467c8868db561100df21c0ca85a0559138ee304146bb433fd2b6d101cc7c3b1c34a

        • C:\Users\Admin\Desktop\NEFT RECEIPT\NEFT RECEIPT.zip

          Filesize

          2.1MB

          MD5

          43bfb670cfff87ffdb8febd6da7513fb

          SHA1

          a232eea674cda0f71751eff2a6571a8e9602d2a7

          SHA256

          dec7a59afa017490684a8f597635acdbe964762612f6924bd5f2361605ada714

          SHA512

          2dd21b31186799592905f1371b32b0dad0f3363ed6af50895503fc30fffb0ef6541fff84782f1277bf2f3f658d180fda8376166f5c758d97557469005dc1aba7

        • C:\Users\Admin\Desktop\NEFT RECEIPT\NEFT RECEIPT\NEFT RECEIPT.bat

          Filesize

          2.4MB

          MD5

          5ee81a84ebf389055aa233770b09a710

          SHA1

          45fe4367dd86f888a70e0c82b899a6602596bfff

          SHA256

          0ee72014a5767e3f99297e27fb4cd66fd8cbdf8577e494e9eb6aea61d4194626

          SHA512

          9208ea252f5d899fb7337052892175241bb2fa9c4943113f6731cccabb2a36dd94a44299b2e207fa760df303b53171af309a7c00580bfa0b7f67896054eb54f8

        • memory/204-16-0x000001D6E1940000-0x000001D6E1950000-memory.dmp

          Filesize

          64KB

        • memory/204-74-0x000001D6E7C90000-0x000001D6E7C91000-memory.dmp

          Filesize

          4KB

        • memory/204-73-0x000001D6E7C80000-0x000001D6E7C81000-memory.dmp

          Filesize

          4KB

        • memory/204-35-0x000001D6E04A0000-0x000001D6E04A2000-memory.dmp

          Filesize

          8KB

        • memory/204-0-0x000001D6E1120000-0x000001D6E1130000-memory.dmp

          Filesize

          64KB

        • memory/204-131-0x000001D6E04D0000-0x000001D6E04D1000-memory.dmp

          Filesize

          4KB

        • memory/204-128-0x000001D6E04D0000-0x000001D6E04D2000-memory.dmp

          Filesize

          8KB

        • memory/204-135-0x000001D6E21F0000-0x000001D6E21F1000-memory.dmp

          Filesize

          4KB

        • memory/3716-59-0x000002A8D42E0000-0x000002A8D42E2000-memory.dmp

          Filesize

          8KB

        • memory/3716-65-0x000002A8D4430000-0x000002A8D4432000-memory.dmp

          Filesize

          8KB

        • memory/3716-63-0x000002A8D4410000-0x000002A8D4412000-memory.dmp

          Filesize

          8KB