Analysis
-
max time kernel
126s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 02:43
Static task
static1
Behavioral task
behavioral1
Sample
Tax Payment Challan.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Tax Payment Challan.exe
Resource
win10v2004-en-20220113
General
-
Target
Tax Payment Challan.exe
-
Size
816KB
-
MD5
7179c01d287ea46e21056c636762968e
-
SHA1
a415e62ffb1aa36634d5829e4860440f98623358
-
SHA256
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9
-
SHA512
875034e75889847861f603afada2ea5a7ebc1058e84dea5759dd8528055ad48cfd2b64bca3109721ccc2a16f171b8368649603955d69583380ec1400e5b34dfc
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x00060000000125b9-65.dat family_kutaki behavioral1/files/0x00060000000125b9-66.dat family_kutaki behavioral1/files/0x00060000000125b9-67.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
msiyksch.exepid Process 1360 msiyksch.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment Challan.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiyksch.exe Tax Payment Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiyksch.exe Tax Payment Challan.exe -
Loads dropped DLL 2 IoCs
Processes:
Tax Payment Challan.exepid Process 1688 Tax Payment Challan.exe 1688 Tax Payment Challan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1900 DllHost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Tax Payment Challan.exemsiyksch.exepid Process 1688 Tax Payment Challan.exe 1688 Tax Payment Challan.exe 1688 Tax Payment Challan.exe 1360 msiyksch.exe 1360 msiyksch.exe 1360 msiyksch.exe 1360 msiyksch.exe 1360 msiyksch.exe 1360 msiyksch.exe 1360 msiyksch.exe 1360 msiyksch.exe 1360 msiyksch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Tax Payment Challan.exedescription pid Process procid_target PID 1688 wrote to memory of 844 1688 Tax Payment Challan.exe 28 PID 1688 wrote to memory of 844 1688 Tax Payment Challan.exe 28 PID 1688 wrote to memory of 844 1688 Tax Payment Challan.exe 28 PID 1688 wrote to memory of 844 1688 Tax Payment Challan.exe 28 PID 1688 wrote to memory of 1360 1688 Tax Payment Challan.exe 31 PID 1688 wrote to memory of 1360 1688 Tax Payment Challan.exe 31 PID 1688 wrote to memory of 1360 1688 Tax Payment Challan.exe 31 PID 1688 wrote to memory of 1360 1688 Tax Payment Challan.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:844
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiyksch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiyksch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7179c01d287ea46e21056c636762968e
SHA1a415e62ffb1aa36634d5829e4860440f98623358
SHA256c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9
SHA512875034e75889847861f603afada2ea5a7ebc1058e84dea5759dd8528055ad48cfd2b64bca3109721ccc2a16f171b8368649603955d69583380ec1400e5b34dfc
-
MD5
7179c01d287ea46e21056c636762968e
SHA1a415e62ffb1aa36634d5829e4860440f98623358
SHA256c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9
SHA512875034e75889847861f603afada2ea5a7ebc1058e84dea5759dd8528055ad48cfd2b64bca3109721ccc2a16f171b8368649603955d69583380ec1400e5b34dfc
-
MD5
7179c01d287ea46e21056c636762968e
SHA1a415e62ffb1aa36634d5829e4860440f98623358
SHA256c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9
SHA512875034e75889847861f603afada2ea5a7ebc1058e84dea5759dd8528055ad48cfd2b64bca3109721ccc2a16f171b8368649603955d69583380ec1400e5b34dfc