Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
TDS Challan.exe
Resource
win7-20220414-en
General
-
Target
TDS Challan.exe
-
Size
740KB
-
MD5
1ba628a1b76f3a2f4133f94c7c18f91c
-
SHA1
876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
-
SHA256
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
-
SHA512
219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrzvowch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrzvowch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
yrzvowch.exepid process 4432 yrzvowch.exe -
Drops startup file 2 IoCs
Processes:
TDS Challan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrzvowch.exe TDS Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrzvowch.exe TDS Challan.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
yrzvowch.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum yrzvowch.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 yrzvowch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
TDS Challan.exeyrzvowch.exepid process 1464 TDS Challan.exe 1464 TDS Challan.exe 1464 TDS Challan.exe 4432 yrzvowch.exe 4432 yrzvowch.exe 4432 yrzvowch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
TDS Challan.exedescription pid process target process PID 1464 wrote to memory of 4836 1464 TDS Challan.exe cmd.exe PID 1464 wrote to memory of 4836 1464 TDS Challan.exe cmd.exe PID 1464 wrote to memory of 4836 1464 TDS Challan.exe cmd.exe PID 1464 wrote to memory of 4432 1464 TDS Challan.exe yrzvowch.exe PID 1464 wrote to memory of 4432 1464 TDS Challan.exe yrzvowch.exe PID 1464 wrote to memory of 4432 1464 TDS Challan.exe yrzvowch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:4836
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrzvowch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrzvowch.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:4432
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
740KB
MD51ba628a1b76f3a2f4133f94c7c18f91c
SHA1876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
SHA256408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
SHA512219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24
-
Filesize
740KB
MD51ba628a1b76f3a2f4133f94c7c18f91c
SHA1876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
SHA256408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
SHA512219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24