kutaki | 052e54df0b86483f84bbff6504e202c36e7bc25885e369e830dd7086fb7c7562

Analysis

max time kernel
600s
max time network
455s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
Size

815KB
MD5

706368098593b234bde3727366651281
SHA1

81a56cd69bf00ec1fd79543423c59d5ce16c1a45
SHA256

41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5
SHA512

b1ba031351ec99df11f511ede7257ee4aa9b43472532d1d3e6ff36101b7f489a11fa356421759d08a83f663877b09029f15ccce25501e51e489429a1f0aece60
SSDEEP

24576:em8RI+emRlQIjDlzzTlQ8LmcEd40X0zjnXU9PR1t7drlSpnHuGE5:bzghxO

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe	family_kutaki

Drops startup file 2 IoCs

Processes:

41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe

Executes dropped EXE 1 IoCs

Processes:

biyorpch.exe

pid process

2496 biyorpch.exe

pid	process
2496	biyorpch.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

biyorpch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	biyorpch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	biyorpch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exebiyorpch.exe

pid	process
2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
2496	biyorpch.exe
2496	biyorpch.exe
2496	biyorpch.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe

description	pid	process	target process
PID 2692 wrote to memory of 248	2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe	cmd.exe
PID 2692 wrote to memory of 248	2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe	cmd.exe
PID 2692 wrote to memory of 248	2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe	cmd.exe
PID 2692 wrote to memory of 2496	2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe	biyorpch.exe
PID 2692 wrote to memory of 2496	2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe	biyorpch.exe
PID 2692 wrote to memory of 2496	2692	41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe	biyorpch.exe

C:\Users\Admin\AppData\Local\Temp\41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
"C:\Users\Admin\AppData\Local\Temp\41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:248
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe

Filesize
562KB

MD5
0e299e6aece469a2c6632a7f85d9fae5

SHA1
c2f16d8a75e6e13cb0ed57b66d5ebc0c5a190b28

SHA256
7195a5cba81a019e1b1b0f069015ce899bb80f0cc93ff48b48389502930c5a75

SHA512
96ec69fb04b885b0ae053414c44ca39671f2e363c74028bb95b4cccb380494c07f8e39eca2e7f79f2e4d6f5623b96b8c056480555ae945c586e1af76064314d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biyorpch.exe

Filesize
632KB

MD5
55102b8289474a99a4690407515ae38a

SHA1
ba36ded2bbda34bae82a9c1afe95d8d4478f1f94

SHA256
ec866c14412b036c8e915db7e3767cc17d11d67bafcaf03eeb1f0c867cd83569

SHA512
f528abb11e6f375deb853378086878569d1d58dc12734316a3e49a3bc24fec524756c55f7040411dd8678237ab7d55dc9c1b911095009455095f55507da9ab33

Download Submit