Analysis
-
max time kernel
97s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 09:00
Static task
static1
Behavioral task
behavioral1
Sample
IncomeTax_Payment_Receipt.exe
Resource
win7-20220414-en
General
-
Target
IncomeTax_Payment_Receipt.exe
-
Size
636KB
-
MD5
bc6618a7be87946f55d90ac92b47f0bc
-
SHA1
10da65cd3ba38618f83473ab6c09abaec80e8341
-
SHA256
9b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
-
SHA512
d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
Malware Config
Signatures
-
Kutaki Executable 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
xlxtvpch.exepid process 2040 xlxtvpch.exe -
Drops startup file 2 IoCs
Processes:
IncomeTax_Payment_Receipt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe IncomeTax_Payment_Receipt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe IncomeTax_Payment_Receipt.exe -
Loads dropped DLL 7 IoCs
Processes:
IncomeTax_Payment_Receipt.exeWerFault.exepid process 872 IncomeTax_Payment_Receipt.exe 872 IncomeTax_Payment_Receipt.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1532 2040 WerFault.exe xlxtvpch.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
IncomeTax_Payment_Receipt.exexlxtvpch.exepid process 872 IncomeTax_Payment_Receipt.exe 872 IncomeTax_Payment_Receipt.exe 872 IncomeTax_Payment_Receipt.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe 2040 xlxtvpch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
IncomeTax_Payment_Receipt.exexlxtvpch.exedescription pid process target process PID 872 wrote to memory of 1352 872 IncomeTax_Payment_Receipt.exe cmd.exe PID 872 wrote to memory of 1352 872 IncomeTax_Payment_Receipt.exe cmd.exe PID 872 wrote to memory of 1352 872 IncomeTax_Payment_Receipt.exe cmd.exe PID 872 wrote to memory of 1352 872 IncomeTax_Payment_Receipt.exe cmd.exe PID 872 wrote to memory of 2040 872 IncomeTax_Payment_Receipt.exe xlxtvpch.exe PID 872 wrote to memory of 2040 872 IncomeTax_Payment_Receipt.exe xlxtvpch.exe PID 872 wrote to memory of 2040 872 IncomeTax_Payment_Receipt.exe xlxtvpch.exe PID 872 wrote to memory of 2040 872 IncomeTax_Payment_Receipt.exe xlxtvpch.exe PID 2040 wrote to memory of 1532 2040 xlxtvpch.exe WerFault.exe PID 2040 wrote to memory of 1532 2040 xlxtvpch.exe WerFault.exe PID 2040 wrote to memory of 1532 2040 xlxtvpch.exe WerFault.exe PID 2040 wrote to memory of 1532 2040 xlxtvpch.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IncomeTax_Payment_Receipt.exe"C:\Users\Admin\AppData\Local\Temp\IncomeTax_Payment_Receipt.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:1352
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlxtvpch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 3043⤵
- Loads dropped DLL
- Program crash
PID:1532
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f