Analysis Overview
SHA256
65357d5cab8976dd6cd93dc4a6defc6ec2f03312f60036ecc963684189b93d5f
Threat Level: Known bad
The file HDFC Payment.exe was found to be: Known bad.
Malicious Activity Summary
Kutaki
Kutaki family
Kutaki Executable
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops startup file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 20:10
Signatures
Kutaki Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kutaki family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 20:10
Reported
2024-11-19 20:12
Platform
win7-20241010-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Kutaki
Kutaki Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kutaki family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe
"C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | helloyesohruhylove.club | udp |
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe
| MD5 | c884ae57f21fbee98f3327583a408412 |
| SHA1 | de718911e64d84670c48095febab54d4f130f3cf |
| SHA256 | 65357d5cab8976dd6cd93dc4a6defc6ec2f03312f60036ecc963684189b93d5f |
| SHA512 | aa545b01561628aacf03b2e0e131fda681707a52ce4a2e051b0d3946bf776630bc097ffc5c957fa68077b5b445540fa8c28c4aa8f5f686f1aee8f5a6e841a668 |
memory/2932-62-0x00000000005D0000-0x00000000005D2000-memory.dmp
memory/2168-63-0x0000000000130000-0x0000000000132000-memory.dmp
memory/2272-64-0x0000000004280000-0x00000000052E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\httpErrorPagesScripts[1]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\dnserrordiagoff[1]
| MD5 | 47f581b112d58eda23ea8b2e08cf0ff0 |
| SHA1 | 6ec1df5eaec1439573aef0fb96dabfc953305e5b |
| SHA256 | b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928 |
| SHA512 | 187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\NewErrorPageTemplate[2]
| MD5 | cdf81e591d9cbfb47a7f97a2bcdb70b9 |
| SHA1 | 8f12010dfaacdecad77b70a3e781c707cf328496 |
| SHA256 | 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd |
| SHA512 | 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 20:10
Reported
2024-11-19 20:12
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Kutaki
Kutaki Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kutaki family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mspaint.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe
"C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe"
C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | helloyesohruhylove.club | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qfsvgifk.exe
| MD5 | c884ae57f21fbee98f3327583a408412 |
| SHA1 | de718911e64d84670c48095febab54d4f130f3cf |
| SHA256 | 65357d5cab8976dd6cd93dc4a6defc6ec2f03312f60036ecc963684189b93d5f |
| SHA512 | aa545b01561628aacf03b2e0e131fda681707a52ce4a2e051b0d3946bf776630bc097ffc5c957fa68077b5b445540fa8c28c4aa8f5f686f1aee8f5a6e841a668 |