Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
26-02-2024 15:59
General
-
Target
Tax Payment Challan.exe
-
Size
617KB
-
MD5
9b719e21e56dfe22fe282fcd496d83c6
-
SHA1
f0229d661757258893ca0f0b9daf21ac52d71364
-
SHA256
314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2
-
SHA512
c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e
-
SSDEEP
12288:eFT8EyAFXYN1hP46A9jmP/uhu/yMS08CkntxYRmqL:uYlAFXqAfmP/UDMS08Ckn3A
Malware Config
Extracted
kutaki
http://linkwotowoto.club/new/two.php
Signatures
-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Kutaki Executable 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exeFilesize
617KB
MD59b719e21e56dfe22fe282fcd496d83c6
SHA1f0229d661757258893ca0f0b9daf21ac52d71364
SHA256314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2
SHA512c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e