kutaki | 314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe
Size

617KB
MD5

9b719e21e56dfe22fe282fcd496d83c6
SHA1

f0229d661757258893ca0f0b9daf21ac52d71364
SHA256

314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2
SHA512

c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e
SSDEEP

12288:eFT8EyAFXYN1hP46A9jmP/uhu/yMS08CkntxYRmqL:uYlAFXqAfmP/UDMS08Ckn3A

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ea-5.dat	family_kutaki

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znlwnnfk.exe	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znlwnnfk.exe	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	znlwnnfk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3588	mspaint.exe
3588	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe
2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe
2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe
5028	znlwnnfk.exe
5028	znlwnnfk.exe
5028	znlwnnfk.exe
3588	mspaint.exe
3588	mspaint.exe
3588	mspaint.exe
3588	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 440	2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe	88
PID 2160 wrote to memory of 440	2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe	88
PID 2160 wrote to memory of 440	2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe	88
PID 2160 wrote to memory of 5028	2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe	90
PID 2160 wrote to memory of 5028	2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe	90
PID 2160 wrote to memory of 5028	2160	314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe	90
PID 440 wrote to memory of 3588	440	cmd.exe	91
PID 440 wrote to memory of 3588	440	cmd.exe	91
PID 440 wrote to memory of 3588	440	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe
"C:\Users\Admin\AppData\Local\Temp\314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znlwnnfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znlwnnfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znlwnnfk.exe

Filesize
617KB

MD5
9b719e21e56dfe22fe282fcd496d83c6

SHA1
f0229d661757258893ca0f0b9daf21ac52d71364

SHA256
314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2

SHA512
c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e

Download Submit