Analysis
-
max time kernel
126s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
01-12-2021 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Tax Pyament Challan.exe
Resource
win7-en-20211104
General
-
Target
Tax Pyament Challan.exe
-
Size
460KB
-
MD5
bcd53d5e0cf0449701730264d03659cc
-
SHA1
3f8e7e422106b9e3a8b0569c8f879c52a5196bde
-
SHA256
2da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
-
SHA512
4ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000600000001abd5-123.dat family_kutaki behavioral2/files/0x000600000001abd5-124.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
dupdojch.exepid Process 2808 dupdojch.exe -
Drops startup file 2 IoCs
Processes:
Tax Pyament Challan.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dupdojch.exe Tax Pyament Challan.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dupdojch.exe Tax Pyament Challan.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 1104 mspaint.exe 1104 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Tax Pyament Challan.exemspaint.exedupdojch.exepid Process 2932 Tax Pyament Challan.exe 2932 Tax Pyament Challan.exe 2932 Tax Pyament Challan.exe 1104 mspaint.exe 1104 mspaint.exe 2808 dupdojch.exe 2808 dupdojch.exe 2808 dupdojch.exe 1104 mspaint.exe 1104 mspaint.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Tax Pyament Challan.execmd.exedescription pid Process procid_target PID 2932 wrote to memory of 3340 2932 Tax Pyament Challan.exe 69 PID 2932 wrote to memory of 3340 2932 Tax Pyament Challan.exe 69 PID 2932 wrote to memory of 3340 2932 Tax Pyament Challan.exe 69 PID 3340 wrote to memory of 1104 3340 cmd.exe 71 PID 3340 wrote to memory of 1104 3340 cmd.exe 71 PID 3340 wrote to memory of 1104 3340 cmd.exe 71 PID 2932 wrote to memory of 2808 2932 Tax Pyament Challan.exe 75 PID 2932 wrote to memory of 2808 2932 Tax Pyament Challan.exe 75 PID 2932 wrote to memory of 2808 2932 Tax Pyament Challan.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Pyament Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Pyament Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dupdojch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dupdojch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bcd53d5e0cf0449701730264d03659cc
SHA13f8e7e422106b9e3a8b0569c8f879c52a5196bde
SHA2562da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
SHA5124ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada
-
MD5
bcd53d5e0cf0449701730264d03659cc
SHA13f8e7e422106b9e3a8b0569c8f879c52a5196bde
SHA2562da69ffa0187b1b7155fe5083fea59857159ba31aa3757e7f26df834770119a4
SHA5124ad0adc78bcf6556298455a125f6c61d0d6175bd1f9297d6dd50b4dbedfc89dc51e0ecfa220b96b4150859259e428a763bc71369b809afda4587670f41e78ada