Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 09:17
Static task
static1
Behavioral task
behavioral1
Sample
Tax Payment.exe
Resource
win7-en-20211104
General
-
Target
Tax Payment.exe
-
Size
592KB
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
-
SHA1
f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
-
SHA256
991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
-
SHA512
6df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000400000001ab9a-123.dat family_kutaki behavioral2/files/0x000400000001ab9a-124.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
vbgofoch.exepid Process 1280 vbgofoch.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbgofoch.exe Tax Payment.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbgofoch.exe Tax Payment.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 2316 mspaint.exe 2316 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Tax Payment.exemspaint.exevbgofoch.exepid Process 3028 Tax Payment.exe 3028 Tax Payment.exe 3028 Tax Payment.exe 2316 mspaint.exe 2316 mspaint.exe 2316 mspaint.exe 2316 mspaint.exe 1280 vbgofoch.exe 1280 vbgofoch.exe 1280 vbgofoch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Tax Payment.execmd.exedescription pid Process procid_target PID 3028 wrote to memory of 2908 3028 Tax Payment.exe 69 PID 3028 wrote to memory of 2908 3028 Tax Payment.exe 69 PID 3028 wrote to memory of 2908 3028 Tax Payment.exe 69 PID 2908 wrote to memory of 2316 2908 cmd.exe 71 PID 2908 wrote to memory of 2316 2908 cmd.exe 71 PID 2908 wrote to memory of 2316 2908 cmd.exe 71 PID 3028 wrote to memory of 1280 3028 Tax Payment.exe 75 PID 3028 wrote to memory of 1280 3028 Tax Payment.exe 75 PID 3028 wrote to memory of 1280 3028 Tax Payment.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbgofoch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbgofoch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:2820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
SHA1f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
SHA256991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
SHA5126df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177
-
MD5
ea8ff94f74983ea0fe9f96f4df50850b
SHA1f1bd1b5edae636b45833d3c080a65c7cf3b47ed6
SHA256991e72f2d6213d5841b0286574c5d0a387c662c9912faf477183768538754e4b
SHA5126df7184111dcdf812bc44e006eafd232946014678c3d24742fe10742dfe97ce08548d0dca71f4b28265abf7e248cb0435e108f787fa73f98222f419d2acc6177