Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11/02/2022, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
IncomeTax_PaymentReceipt.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
IncomeTax_PaymentReceipt.exe
-
Size
1.3MB
-
MD5
0692f7369ad0e05cb31e083aefba8e1c
-
SHA1
b2cf04e7983a1ed5b378475cfdf215b52de8d1ff
-
SHA256
dc90482c940a4ab897dcb64e468ccc1767ce48c249755bb625d4e48e718edfd6
-
SHA512
1cbdd7952e91aadd71f30c94c1467d17065cb7aae4c922fc904ca42fdb4ebcd8bfbfff291576b0f8b081ce92a6ebd9a4b6d1fe76ad8a7337d154cc79a03e9b87
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
resource yara_rule behavioral1/files/0x0007000000013413-57.dat family_kutaki behavioral1/files/0x0007000000013413-58.dat family_kutaki behavioral1/files/0x0007000000013413-59.dat family_kutaki -
Executes dropped EXE 1 IoCs
pid Process 456 qqaefqch.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqaefqch.exe IncomeTax_PaymentReceipt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqaefqch.exe IncomeTax_PaymentReceipt.exe -
Loads dropped DLL 2 IoCs
pid Process 1688 IncomeTax_PaymentReceipt.exe 1688 IncomeTax_PaymentReceipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1688 IncomeTax_PaymentReceipt.exe 1688 IncomeTax_PaymentReceipt.exe 1688 IncomeTax_PaymentReceipt.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe 456 qqaefqch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1688 wrote to memory of 780 1688 IncomeTax_PaymentReceipt.exe 28 PID 1688 wrote to memory of 780 1688 IncomeTax_PaymentReceipt.exe 28 PID 1688 wrote to memory of 780 1688 IncomeTax_PaymentReceipt.exe 28 PID 1688 wrote to memory of 780 1688 IncomeTax_PaymentReceipt.exe 28 PID 1688 wrote to memory of 456 1688 IncomeTax_PaymentReceipt.exe 30 PID 1688 wrote to memory of 456 1688 IncomeTax_PaymentReceipt.exe 30 PID 1688 wrote to memory of 456 1688 IncomeTax_PaymentReceipt.exe 30 PID 1688 wrote to memory of 456 1688 IncomeTax_PaymentReceipt.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\IncomeTax_PaymentReceipt.exe"C:\Users\Admin\AppData\Local\Temp\IncomeTax_PaymentReceipt.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:780
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqaefqch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqaefqch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:456
-