Analysis
-
max time kernel
159s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 01:52
Static task
static1
Behavioral task
behavioral1
Sample
Tax Payment Challan.scr
Resource
win7-20220414-en
General
-
Target
Tax Payment Challan.scr
-
Size
816KB
-
MD5
62fd0aecb02f01f3a59131ba5ae8d38a
-
SHA1
2c89f903ad958316ed22706c740cde7ee759247f
-
SHA256
bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29
-
SHA512
84ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
tjqfpdch.exepid process 4248 tjqfpdch.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment Challan.scrdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe Tax Payment Challan.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe Tax Payment Challan.scr -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
tjqfpdch.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tjqfpdch.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 tjqfpdch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
Tax Payment Challan.scrtjqfpdch.exepid process 4892 Tax Payment Challan.scr 4892 Tax Payment Challan.scr 4892 Tax Payment Challan.scr 4248 tjqfpdch.exe 4248 tjqfpdch.exe 4248 tjqfpdch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Tax Payment Challan.scrdescription pid process target process PID 4892 wrote to memory of 4836 4892 Tax Payment Challan.scr cmd.exe PID 4892 wrote to memory of 4836 4892 Tax Payment Challan.scr cmd.exe PID 4892 wrote to memory of 4836 4892 Tax Payment Challan.scr cmd.exe PID 4892 wrote to memory of 4248 4892 Tax Payment Challan.scr tjqfpdch.exe PID 4892 wrote to memory of 4248 4892 Tax Payment Challan.scr tjqfpdch.exe PID 4892 wrote to memory of 4248 4892 Tax Payment Challan.scr tjqfpdch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.scr"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.scr" /S1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:4836
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjqfpdch.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:4248
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD562fd0aecb02f01f3a59131ba5ae8d38a
SHA12c89f903ad958316ed22706c740cde7ee759247f
SHA256bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29
SHA51284ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba
-
Filesize
816KB
MD562fd0aecb02f01f3a59131ba5ae8d38a
SHA12c89f903ad958316ed22706c740cde7ee759247f
SHA256bdecdba010952f854106cced016ee000bfa09dd499d66fbc43acd585c9348c29
SHA51284ef0834069a71dc1e4b73c2a927a7357dc066ff72ef479166695d45ee631155b785c1009248b2fbb8452945f8db83f4e89e5cbbc4f974d2d7ac05f8f68e2dba