Analysis
-
max time kernel
119s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 21:21
Static task
static1
Behavioral task
behavioral1
Sample
IncomeTax_Payment_Receipt.exe
Resource
win7-20220414-en
General
-
Target
IncomeTax_Payment_Receipt.exe
-
Size
636KB
-
MD5
bc6618a7be87946f55d90ac92b47f0bc
-
SHA1
10da65cd3ba38618f83473ab6c09abaec80e8341
-
SHA256
9b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
-
SHA512
d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
Malware Config
Extracted
kutaki
http://newloshree.xyz/work/son.php
Signatures
-
Kutaki Executable 9 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
zbzljvch.exepid process 2028 zbzljvch.exe -
Drops startup file 2 IoCs
Processes:
IncomeTax_Payment_Receipt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe IncomeTax_Payment_Receipt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe IncomeTax_Payment_Receipt.exe -
Loads dropped DLL 7 IoCs
Processes:
IncomeTax_Payment_Receipt.exeWerFault.exepid process 1260 IncomeTax_Payment_Receipt.exe 1260 IncomeTax_Payment_Receipt.exe 1580 WerFault.exe 1580 WerFault.exe 1580 WerFault.exe 1580 WerFault.exe 1580 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1580 2028 WerFault.exe zbzljvch.exe -
Processes:
zbzljvch.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main zbzljvch.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
IncomeTax_Payment_Receipt.exezbzljvch.exepid process 1260 IncomeTax_Payment_Receipt.exe 1260 IncomeTax_Payment_Receipt.exe 1260 IncomeTax_Payment_Receipt.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe 2028 zbzljvch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
IncomeTax_Payment_Receipt.exezbzljvch.exedescription pid process target process PID 1260 wrote to memory of 2024 1260 IncomeTax_Payment_Receipt.exe cmd.exe PID 1260 wrote to memory of 2024 1260 IncomeTax_Payment_Receipt.exe cmd.exe PID 1260 wrote to memory of 2024 1260 IncomeTax_Payment_Receipt.exe cmd.exe PID 1260 wrote to memory of 2024 1260 IncomeTax_Payment_Receipt.exe cmd.exe PID 1260 wrote to memory of 2028 1260 IncomeTax_Payment_Receipt.exe zbzljvch.exe PID 1260 wrote to memory of 2028 1260 IncomeTax_Payment_Receipt.exe zbzljvch.exe PID 1260 wrote to memory of 2028 1260 IncomeTax_Payment_Receipt.exe zbzljvch.exe PID 1260 wrote to memory of 2028 1260 IncomeTax_Payment_Receipt.exe zbzljvch.exe PID 2028 wrote to memory of 1580 2028 zbzljvch.exe WerFault.exe PID 2028 wrote to memory of 1580 2028 zbzljvch.exe WerFault.exe PID 2028 wrote to memory of 1580 2028 zbzljvch.exe WerFault.exe PID 2028 wrote to memory of 1580 2028 zbzljvch.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IncomeTax_Payment_Receipt.exe"C:\Users\Admin\AppData\Local\Temp\IncomeTax_Payment_Receipt.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:2024
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zbzljvch.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 12123⤵
- Loads dropped DLL
- Program crash
PID:1580
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f