Analysis
-
max time kernel
125s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2022 04:53
Behavioral task
behavioral1
Sample
Tax Payment Challan.exe
Resource
win7-20220718-en
General
-
Target
Tax Payment Challan.exe
-
Size
768KB
-
MD5
d25f259e5943e02244d5a6fb3cc9b778
-
SHA1
ae4c93a5264acdf26a11cd9165f7382afceedb50
-
SHA256
4b0f2eb3c83c7a8f9bf0f945feeadad30cb7e5432f6c66fe7d6b921925ce142a
-
SHA512
8363351c576a8be88a02408ebcfc60a6c5abc0db402cd12b349c80b787bb3fd9bc2ab6206c3a7293ff187b61d0da2cdf6100020836c8a590a2181689c72fd019
Malware Config
Extracted
kutaki
http://newloshree.xyz/work/kenny3.php
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
ch.exepid process 4332 ch.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment Challan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe Tax Payment Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe Tax Payment Challan.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid process 4080 mspaint.exe 4080 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Tax Payment Challan.exemspaint.exech.exepid process 1412 Tax Payment Challan.exe 1412 Tax Payment Challan.exe 1412 Tax Payment Challan.exe 4080 mspaint.exe 4332 ch.exe 4080 mspaint.exe 4080 mspaint.exe 4080 mspaint.exe 4332 ch.exe 4332 ch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Tax Payment Challan.execmd.exedescription pid process target process PID 1412 wrote to memory of 2704 1412 Tax Payment Challan.exe cmd.exe PID 1412 wrote to memory of 2704 1412 Tax Payment Challan.exe cmd.exe PID 1412 wrote to memory of 2704 1412 Tax Payment Challan.exe cmd.exe PID 2704 wrote to memory of 4080 2704 cmd.exe mspaint.exe PID 2704 wrote to memory of 4080 2704 cmd.exe mspaint.exe PID 2704 wrote to memory of 4080 2704 cmd.exe mspaint.exe PID 1412 wrote to memory of 4332 1412 Tax Payment Challan.exe ch.exe PID 1412 wrote to memory of 4332 1412 Tax Payment Challan.exe ch.exe PID 1412 wrote to memory of 4332 1412 Tax Payment Challan.exe ch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD5d25f259e5943e02244d5a6fb3cc9b778
SHA1ae4c93a5264acdf26a11cd9165f7382afceedb50
SHA2564b0f2eb3c83c7a8f9bf0f945feeadad30cb7e5432f6c66fe7d6b921925ce142a
SHA5128363351c576a8be88a02408ebcfc60a6c5abc0db402cd12b349c80b787bb3fd9bc2ab6206c3a7293ff187b61d0da2cdf6100020836c8a590a2181689c72fd019
-
Filesize
768KB
MD5d25f259e5943e02244d5a6fb3cc9b778
SHA1ae4c93a5264acdf26a11cd9165f7382afceedb50
SHA2564b0f2eb3c83c7a8f9bf0f945feeadad30cb7e5432f6c66fe7d6b921925ce142a
SHA5128363351c576a8be88a02408ebcfc60a6c5abc0db402cd12b349c80b787bb3fd9bc2ab6206c3a7293ff187b61d0da2cdf6100020836c8a590a2181689c72fd019