Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Tax Pyament Challan.exe
Resource
win7-en-20211104
General
-
Target
Tax Pyament Challan.exe
-
Size
460KB
-
MD5
bcd53d5e0cf0449701730264d03659cc
-
SHA1
3f8e7e422106b9e3a8b0569c8f879c52a5196bde
-
SHA256
2da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
-
SHA512
4ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000121f6-60.dat family_kutaki behavioral1/files/0x00070000000121f6-63.dat family_kutaki behavioral1/files/0x00070000000121f6-61.dat family_kutaki behavioral1/files/0x00070000000121f6-73.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
gnbudsch.exepid Process 1160 gnbudsch.exe -
Drops startup file 2 IoCs
Processes:
Tax Pyament Challan.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnbudsch.exe Tax Pyament Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnbudsch.exe Tax Pyament Challan.exe -
Loads dropped DLL 2 IoCs
Processes:
Tax Pyament Challan.exepid Process 1136 Tax Pyament Challan.exe 1136 Tax Pyament Challan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
gnbudsch.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main gnbudsch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1284 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
Tax Pyament Challan.exegnbudsch.exepid Process 1136 Tax Pyament Challan.exe 1136 Tax Pyament Challan.exe 1136 Tax Pyament Challan.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe 1160 gnbudsch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Tax Pyament Challan.exedescription pid Process procid_target PID 1136 wrote to memory of 824 1136 Tax Pyament Challan.exe 29 PID 1136 wrote to memory of 824 1136 Tax Pyament Challan.exe 29 PID 1136 wrote to memory of 824 1136 Tax Pyament Challan.exe 29 PID 1136 wrote to memory of 824 1136 Tax Pyament Challan.exe 29 PID 1136 wrote to memory of 1160 1136 Tax Pyament Challan.exe 31 PID 1136 wrote to memory of 1160 1136 Tax Pyament Challan.exe 31 PID 1136 wrote to memory of 1160 1136 Tax Pyament Challan.exe 31 PID 1136 wrote to memory of 1160 1136 Tax Pyament Challan.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Pyament Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Pyament Challan.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:824
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnbudsch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnbudsch.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bcd53d5e0cf0449701730264d03659cc
SHA13f8e7e422106b9e3a8b0569c8f879c52a5196bde
SHA2562da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
SHA5124ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada
-
MD5
bcd53d5e0cf0449701730264d03659cc
SHA13f8e7e422106b9e3a8b0569c8f879c52a5196bde
SHA2562da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
SHA5124ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada
-
MD5
bcd53d5e0cf0449701730264d03659cc
SHA13f8e7e422106b9e3a8b0569c8f879c52a5196bde
SHA2562da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
SHA5124ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada
-
MD5
bcd53d5e0cf0449701730264d03659cc
SHA13f8e7e422106b9e3a8b0569c8f879c52a5196bde
SHA2562da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
SHA5124ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada