Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 09:17
Static task
static1
Behavioral task
behavioral1
Sample
Tax Payment.exe
Resource
win7-en-20211104
General
-
Target
Tax Payment.exe
-
Size
592KB
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
-
SHA1
f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
-
SHA256
991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
-
SHA512
6df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000121fa-60.dat family_kutaki behavioral1/files/0x00070000000121fa-61.dat family_kutaki behavioral1/files/0x00070000000121fa-63.dat family_kutaki behavioral1/files/0x00070000000121fa-72.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
riptxach.exepid Process 1004 riptxach.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\riptxach.exe Tax Payment.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\riptxach.exe Tax Payment.exe -
Loads dropped DLL 2 IoCs
Processes:
Tax Payment.exepid Process 672 Tax Payment.exe 672 Tax Payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
riptxach.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main riptxach.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1604 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
Tax Payment.exeriptxach.exepid Process 672 Tax Payment.exe 672 Tax Payment.exe 672 Tax Payment.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe 1004 riptxach.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Tax Payment.exedescription pid Process procid_target PID 672 wrote to memory of 552 672 Tax Payment.exe 29 PID 672 wrote to memory of 552 672 Tax Payment.exe 29 PID 672 wrote to memory of 552 672 Tax Payment.exe 29 PID 672 wrote to memory of 552 672 Tax Payment.exe 29 PID 672 wrote to memory of 1004 672 Tax Payment.exe 31 PID 672 wrote to memory of 1004 672 Tax Payment.exe 31 PID 672 wrote to memory of 1004 672 Tax Payment.exe 31 PID 672 wrote to memory of 1004 672 Tax Payment.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:552
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\riptxach.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\riptxach.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1004
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
SHA1f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
SHA256991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
SHA5126df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
SHA1f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
SHA256991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
SHA5126df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
SHA1f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
SHA256991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
SHA5126df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
SHA1f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
SHA256991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
SHA5126df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177