Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 02:20
Behavioral task
behavioral1
Sample
TDS Challan.exe
Resource
win7-20220715-en
General
-
Target
TDS Challan.exe
-
Size
707KB
-
MD5
2600b7e78f3a1d996294bcc27b309594
-
SHA1
a90f63310dca46b419cfcbe95d90e1517932d6d3
-
SHA256
8b12a088323095e7307e40be4b3194cebd6756d9414d360e06e2015804ad6b58
-
SHA512
db6926d1cf359712dd7c77b48444f00d0f8ea776cdec752d604a68a3037eadbd38723f50ee655821eda51d21a528c00313e505575816c2ad659856fad886da7b
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
hyuder.exepid process 2016 hyuder.exe -
Drops startup file 2 IoCs
Processes:
TDS Challan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe TDS Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe TDS Challan.exe -
Loads dropped DLL 2 IoCs
Processes:
TDS Challan.exepid process 1820 TDS Challan.exe 1820 TDS Challan.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
hyuder.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum hyuder.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 hyuder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
hyuder.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main hyuder.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
TDS Challan.exehyuder.exepid process 1820 TDS Challan.exe 1820 TDS Challan.exe 1820 TDS Challan.exe 2016 hyuder.exe 2016 hyuder.exe 2016 hyuder.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
TDS Challan.exedescription pid process target process PID 1820 wrote to memory of 1792 1820 TDS Challan.exe cmd.exe PID 1820 wrote to memory of 1792 1820 TDS Challan.exe cmd.exe PID 1820 wrote to memory of 1792 1820 TDS Challan.exe cmd.exe PID 1820 wrote to memory of 1792 1820 TDS Challan.exe cmd.exe PID 1820 wrote to memory of 2016 1820 TDS Challan.exe hyuder.exe PID 1820 wrote to memory of 2016 1820 TDS Challan.exe hyuder.exe PID 1820 wrote to memory of 2016 1820 TDS Challan.exe hyuder.exe PID 1820 wrote to memory of 2016 1820 TDS Challan.exe hyuder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:1792
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
707KB
MD52600b7e78f3a1d996294bcc27b309594
SHA1a90f63310dca46b419cfcbe95d90e1517932d6d3
SHA2568b12a088323095e7307e40be4b3194cebd6756d9414d360e06e2015804ad6b58
SHA512db6926d1cf359712dd7c77b48444f00d0f8ea776cdec752d604a68a3037eadbd38723f50ee655821eda51d21a528c00313e505575816c2ad659856fad886da7b
-
Filesize
707KB
MD52600b7e78f3a1d996294bcc27b309594
SHA1a90f63310dca46b419cfcbe95d90e1517932d6d3
SHA2568b12a088323095e7307e40be4b3194cebd6756d9414d360e06e2015804ad6b58
SHA512db6926d1cf359712dd7c77b48444f00d0f8ea776cdec752d604a68a3037eadbd38723f50ee655821eda51d21a528c00313e505575816c2ad659856fad886da7b
-
Filesize
707KB
MD52600b7e78f3a1d996294bcc27b309594
SHA1a90f63310dca46b419cfcbe95d90e1517932d6d3
SHA2568b12a088323095e7307e40be4b3194cebd6756d9414d360e06e2015804ad6b58
SHA512db6926d1cf359712dd7c77b48444f00d0f8ea776cdec752d604a68a3037eadbd38723f50ee655821eda51d21a528c00313e505575816c2ad659856fad886da7b
-
Filesize
707KB
MD52600b7e78f3a1d996294bcc27b309594
SHA1a90f63310dca46b419cfcbe95d90e1517932d6d3
SHA2568b12a088323095e7307e40be4b3194cebd6756d9414d360e06e2015804ad6b58
SHA512db6926d1cf359712dd7c77b48444f00d0f8ea776cdec752d604a68a3037eadbd38723f50ee655821eda51d21a528c00313e505575816c2ad659856fad886da7b