Analysis
-
max time kernel
128s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 01:52
Static task
static1
Behavioral task
behavioral1
Sample
Tax Payment Challan.scr
Resource
win7-20220414-en
General
-
Target
Tax Payment Challan.scr
-
Size
816KB
-
MD5
62fd0aecb02f01f3a59131ba5ae8d38a
-
SHA1
2c89f903ad958316ed22706c740cde7ee759247f
-
SHA256
bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29
-
SHA512
84ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkeqpqch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkeqpqch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkeqpqch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
wkeqpqch.exepid process 460 wkeqpqch.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment Challan.scrdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkeqpqch.exe Tax Payment Challan.scr File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkeqpqch.exe Tax Payment Challan.scr -
Loads dropped DLL 2 IoCs
Processes:
Tax Payment Challan.scrpid process 1256 Tax Payment Challan.scr 1256 Tax Payment Challan.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Tax Payment Challan.scrwkeqpqch.exepid process 1256 Tax Payment Challan.scr 1256 Tax Payment Challan.scr 1256 Tax Payment Challan.scr 460 wkeqpqch.exe 460 wkeqpqch.exe 460 wkeqpqch.exe 460 wkeqpqch.exe 460 wkeqpqch.exe 460 wkeqpqch.exe 460 wkeqpqch.exe 460 wkeqpqch.exe 460 wkeqpqch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Tax Payment Challan.scrdescription pid process target process PID 1256 wrote to memory of 2024 1256 Tax Payment Challan.scr cmd.exe PID 1256 wrote to memory of 2024 1256 Tax Payment Challan.scr cmd.exe PID 1256 wrote to memory of 2024 1256 Tax Payment Challan.scr cmd.exe PID 1256 wrote to memory of 2024 1256 Tax Payment Challan.scr cmd.exe PID 1256 wrote to memory of 460 1256 Tax Payment Challan.scr wkeqpqch.exe PID 1256 wrote to memory of 460 1256 Tax Payment Challan.scr wkeqpqch.exe PID 1256 wrote to memory of 460 1256 Tax Payment Challan.scr wkeqpqch.exe PID 1256 wrote to memory of 460 1256 Tax Payment Challan.scr wkeqpqch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.scr"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.scr" /S1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:2024
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkeqpqch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkeqpqch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:460
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD562fd0aecb02f01f3a59131ba5ae8d38a
SHA12c89f903ad958316ed22706c740cde7ee759247f
SHA256bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29
SHA51284ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba
-
Filesize
816KB
MD562fd0aecb02f01f3a59131ba5ae8d38a
SHA12c89f903ad958316ed22706c740cde7ee759247f
SHA256bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29
SHA51284ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba
-
Filesize
816KB
MD562fd0aecb02f01f3a59131ba5ae8d38a
SHA12c89f903ad958316ed22706c740cde7ee759247f
SHA256bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29
SHA51284ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba