Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-11-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
Tax Payment Challan.exe
Resource
win7-en-20211014
General
-
Target
Tax Payment Challan.exe
-
Size
592KB
-
MD5
cca90533c2283834f8d53977f1dfde3b
-
SHA1
579d3991a8b5f3a71d615cbd9d64832dd88db2e1
-
SHA256
5074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
-
SHA512
ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000121f1-60.dat family_kutaki behavioral1/files/0x00070000000121f1-61.dat family_kutaki behavioral1/files/0x00070000000121f1-63.dat family_kutaki behavioral1/files/0x00070000000121f1-72.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
jmvuioch.exepid Process 1120 jmvuioch.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment Challan.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmvuioch.exe Tax Payment Challan.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmvuioch.exe Tax Payment Challan.exe -
Loads dropped DLL 2 IoCs
Processes:
Tax Payment Challan.exepid Process 1864 Tax Payment Challan.exe 1864 Tax Payment Challan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
jmvuioch.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main jmvuioch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1428 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
Tax Payment Challan.exejmvuioch.exepid Process 1864 Tax Payment Challan.exe 1864 Tax Payment Challan.exe 1864 Tax Payment Challan.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe 1120 jmvuioch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Tax Payment Challan.exedescription pid Process procid_target PID 1864 wrote to memory of 856 1864 Tax Payment Challan.exe 29 PID 1864 wrote to memory of 856 1864 Tax Payment Challan.exe 29 PID 1864 wrote to memory of 856 1864 Tax Payment Challan.exe 29 PID 1864 wrote to memory of 856 1864 Tax Payment Challan.exe 29 PID 1864 wrote to memory of 1120 1864 Tax Payment Challan.exe 31 PID 1864 wrote to memory of 1120 1864 Tax Payment Challan.exe 31 PID 1864 wrote to memory of 1120 1864 Tax Payment Challan.exe 31 PID 1864 wrote to memory of 1120 1864 Tax Payment Challan.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:856
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmvuioch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmvuioch.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1120
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cca90533c2283834f8d53977f1dfde3b
SHA1579d3991a8b5f3a71d615cbd9d64832dd88db2e1
SHA2565074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
SHA512ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc
-
MD5
cca90533c2283834f8d53977f1dfde3b
SHA1579d3991a8b5f3a71d615cbd9d64832dd88db2e1
SHA2565074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
SHA512ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc
-
MD5
cca90533c2283834f8d53977f1dfde3b
SHA1579d3991a8b5f3a71d615cbd9d64832dd88db2e1
SHA2565074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
SHA512ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc
-
MD5
cca90533c2283834f8d53977f1dfde3b
SHA1579d3991a8b5f3a71d615cbd9d64832dd88db2e1
SHA2565074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
SHA512ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc