Analysis
-
max time kernel
183s -
max time network
224s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03/06/2022, 15:04
Static task
static1
Behavioral task
behavioral1
Sample
TDS Challan.exe
Resource
win7-20220414-en
General
-
Target
TDS Challan.exe
-
Size
1.1MB
-
MD5
bdfe1051fc246f74193f5e5c8749b7ec
-
SHA1
78a61790dccb94853e233ec1f75db3ee6055b5de
-
SHA256
62e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462
-
SHA512
e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
resource yara_rule behavioral2/files/0x004100000000064b-134.dat family_kutaki behavioral2/files/0x004100000000064b-135.dat family_kutaki -
Executes dropped EXE 1 IoCs
pid Process 4588 hyuder.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe TDS Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe TDS Challan.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum hyuder.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 hyuder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1584 TDS Challan.exe 1584 TDS Challan.exe 1584 TDS Challan.exe 4588 hyuder.exe 4588 hyuder.exe 4588 hyuder.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1584 wrote to memory of 3516 1584 TDS Challan.exe 80 PID 1584 wrote to memory of 3516 1584 TDS Challan.exe 80 PID 1584 wrote to memory of 3516 1584 TDS Challan.exe 80 PID 1584 wrote to memory of 4588 1584 TDS Challan.exe 82 PID 1584 wrote to memory of 4588 1584 TDS Challan.exe 82 PID 1584 wrote to memory of 4588 1584 TDS Challan.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:3516
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:4588
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5bdfe1051fc246f74193f5e5c8749b7ec
SHA178a61790dccb94853e233ec1f75db3ee6055b5de
SHA25662e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462
SHA512e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7
-
Filesize
1.1MB
MD5bdfe1051fc246f74193f5e5c8749b7ec
SHA178a61790dccb94853e233ec1f75db3ee6055b5de
SHA25662e4ce478f0bc615d11257a09a9ed68ae42c2ada0e4c62c548f1245befa04462
SHA512e1d1c9ce40de4e922f0a5c1bad4f565251fc3bc6d9e763b1d027f9a00edee9589c094a0586e9d87a49c3f6812e2ca4e6d7777f171502583dcc215900fc851de7