kutaki | 682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73

General

Target

682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe
Size

465KB
MD5

ae6e96376af9418752b9c2c9e9e1debf
SHA1

bbb067145926697c07e80a0308106112b1189039
SHA256

682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73
SHA512

4164d0c607636d6ba462d9556c7841cb77131e693c6a0af15cb062222052e099bfcc44f941f9fd5f1e19f585ca9b85d2e4f25b994f2b1415deb48782d64971b7
SSDEEP

12288:IVl4yCL6f6f0xB81IWa46A9jmP/uhu/yMS08CkntxYRYL:a7k3fmP/UDMS08Ckn3X

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

C2

http://newlinkwotolove.club/love/three.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\navqidfk.exe	family_kutaki

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\navqidfk.exe	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\navqidfk.exe	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe

Executes dropped EXE 1 IoCs

Processes:

navqidfk.exe

pid process

1396 navqidfk.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mspaint.exe

pid process

3500 mspaint.exe
3500 mspaint.exe

pid	process
1396	navqidfk.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe

pid	process
3500	mspaint.exe
3500	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exenavqidfk.exemspaint.exe

pid	process
116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe
116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe
116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe
1396	navqidfk.exe
1396	navqidfk.exe
1396	navqidfk.exe
3500	mspaint.exe
3500	mspaint.exe
3500	mspaint.exe
3500	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.execmd.exe

description	pid	process	target process
PID 116 wrote to memory of 4688	116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe	cmd.exe
PID 116 wrote to memory of 4688	116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe	cmd.exe
PID 116 wrote to memory of 4688	116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe	cmd.exe
PID 116 wrote to memory of 1396	116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe	navqidfk.exe
PID 116 wrote to memory of 1396	116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe	navqidfk.exe
PID 116 wrote to memory of 1396	116	682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe	navqidfk.exe
PID 4688 wrote to memory of 3500	4688	cmd.exe	mspaint.exe
PID 4688 wrote to memory of 3500	4688	cmd.exe	mspaint.exe
PID 4688 wrote to memory of 3500	4688	cmd.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe
"C:\Users\Admin\AppData\Local\Temp\682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\navqidfk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\navqidfk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4148,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
1⤵
PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\navqidfk.exe
Filesize
465KB

MD5
ae6e96376af9418752b9c2c9e9e1debf

SHA1
bbb067145926697c07e80a0308106112b1189039

SHA256
682572888b60da06809d5f5dbce53b9a1bfede2d7a2deae9039e3020d68b1a73

SHA512
4164d0c607636d6ba462d9556c7841cb77131e693c6a0af15cb062222052e099bfcc44f941f9fd5f1e19f585ca9b85d2e4f25b994f2b1415deb48782d64971b7

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads