Analysis
-
max time kernel
124s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
19-11-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
Tax Payment Challan.exe
Resource
win7-en-20211014
General
-
Target
Tax Payment Challan.exe
-
Size
592KB
-
MD5
cca90533c2283834f8d53977f1dfde3b
-
SHA1
579d3991a8b5f3a71d615cbd9d64832dd88db2e1
-
SHA256
5074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
-
SHA512
ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000500000001abb5-123.dat family_kutaki behavioral2/files/0x000500000001abb5-124.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
gegxwach.exepid Process 1332 gegxwach.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment Challan.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gegxwach.exe Tax Payment Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gegxwach.exe Tax Payment Challan.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 2540 mspaint.exe 2540 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Tax Payment Challan.exemspaint.exegegxwach.exepid Process 2388 Tax Payment Challan.exe 2388 Tax Payment Challan.exe 2388 Tax Payment Challan.exe 2540 mspaint.exe 2540 mspaint.exe 2540 mspaint.exe 2540 mspaint.exe 1332 gegxwach.exe 1332 gegxwach.exe 1332 gegxwach.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Tax Payment Challan.execmd.exedescription pid Process procid_target PID 2388 wrote to memory of 980 2388 Tax Payment Challan.exe 69 PID 2388 wrote to memory of 980 2388 Tax Payment Challan.exe 69 PID 2388 wrote to memory of 980 2388 Tax Payment Challan.exe 69 PID 980 wrote to memory of 2540 980 cmd.exe 71 PID 980 wrote to memory of 2540 980 cmd.exe 71 PID 980 wrote to memory of 2540 980 cmd.exe 71 PID 2388 wrote to memory of 1332 2388 Tax Payment Challan.exe 75 PID 2388 wrote to memory of 1332 2388 Tax Payment Challan.exe 75 PID 2388 wrote to memory of 1332 2388 Tax Payment Challan.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2540
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gegxwach.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gegxwach.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cca90533c2283834f8d53977f1dfde3b
SHA1579d3991a8b5f3a71d615cbd9d64832dd88db2e1
SHA2565074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
SHA512ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc
-
MD5
cca90533c2283834f8d53977f1dfde3b
SHA1579d3991a8b5f3a71d615cbd9d64832dd88db2e1
SHA2565074bfb6b468b2cd5a31acd87144e6e4a94c6073e65f506bafdb71000c16fb41
SHA512ad00919d2ba243c0d342e7073d4ec7e559670dd37cc6f3007046e06ef52b889bd6dbbe5e5a619d80756d8c3172eeb0dea265b08f3704e74e19b8c9d49253e4cc