Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 21:21
Static task
static1
Behavioral task
behavioral1
Sample
IncomeTax_Payment_Receipt.exe
Resource
win7-20220414-en
General
-
Target
IncomeTax_Payment_Receipt.exe
-
Size
636KB
-
MD5
bc6618a7be87946f55d90ac92b47f0bc
-
SHA1
10da65cd3ba38618f83473ab6c09abaec80e8341
-
SHA256
9b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
-
SHA512
d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
Malware Config
Extracted
kutaki
http://newloshree.xyz/work/son.php
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbmonxch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbmonxch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
nbmonxch.exepid process 4628 nbmonxch.exe -
Drops startup file 2 IoCs
Processes:
IncomeTax_Payment_Receipt.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbmonxch.exe IncomeTax_Payment_Receipt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbmonxch.exe IncomeTax_Payment_Receipt.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IncomeTax_Payment_Receipt.exenbmonxch.exepid process 3060 IncomeTax_Payment_Receipt.exe 3060 IncomeTax_Payment_Receipt.exe 3060 IncomeTax_Payment_Receipt.exe 4628 nbmonxch.exe 4628 nbmonxch.exe 4628 nbmonxch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
IncomeTax_Payment_Receipt.exedescription pid process target process PID 3060 wrote to memory of 464 3060 IncomeTax_Payment_Receipt.exe cmd.exe PID 3060 wrote to memory of 464 3060 IncomeTax_Payment_Receipt.exe cmd.exe PID 3060 wrote to memory of 464 3060 IncomeTax_Payment_Receipt.exe cmd.exe PID 3060 wrote to memory of 4628 3060 IncomeTax_Payment_Receipt.exe nbmonxch.exe PID 3060 wrote to memory of 4628 3060 IncomeTax_Payment_Receipt.exe nbmonxch.exe PID 3060 wrote to memory of 4628 3060 IncomeTax_Payment_Receipt.exe nbmonxch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IncomeTax_Payment_Receipt.exe"C:\Users\Admin\AppData\Local\Temp\IncomeTax_Payment_Receipt.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:464
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbmonxch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbmonxch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4628
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f
-
Filesize
636KB
MD5bc6618a7be87946f55d90ac92b47f0bc
SHA110da65cd3ba38618f83473ab6c09abaec80e8341
SHA2569b301c6642a4184267f2c62cfd2b32b0766a1e82caf699136a575ba07d3c7307
SHA512d8939bb5ade4e6abda0b67f591390521ac91078727b4231e5191a473454dd5e84e9a707e8af0376d24924e6c04d85889f74c2797489cd0e1b2e6c459cacfab0f