Analysis

  • max time kernel
    159s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 01:52

General

  • Target

    Tax Payment Challan.scr

  • Size

    816KB

  • MD5

    62fd0aecb02f01f3a59131ba5ae8d38a

  • SHA1

    2c89f903ad958316ed22706c740cde7ee759247f

  • SHA256

    bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29

  • SHA512

    84ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba

Malware Config

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Kutaki Executable 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.scr
    "C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.scr" /S
    1⤵
    • Drops startup file
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:4836
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe"
        2⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious use of SetWindowsHookEx
        PID:4248

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe

      Filesize

      816KB

      MD5

      62fd0aecb02f01f3a59131ba5ae8d38a

      SHA1

      2c89f903ad958316ed22706c740cde7ee759247f

      SHA256

      bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29

      SHA512

      84ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe

      Filesize

      816KB

      MD5

      62fd0aecb02f01f3a59131ba5ae8d38a

      SHA1

      2c89f903ad958316ed22706c740cde7ee759247f

      SHA256

      bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29

      SHA512

      84ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba

    • memory/4248-133-0x0000000000000000-mapping.dmp

    • memory/4836-132-0x0000000000000000-mapping.dmp