Analysis
-
max time kernel
58s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/11/2022, 13:18
Behavioral task
behavioral1
Sample
IncomeTaxPaymentChallan.exe
Resource
win7-20220812-en
windows7-x64
General
-
Target
IncomeTaxPaymentChallan.exe
-
Size
737KB
-
MD5
97f31e6d14a85c59b121126c5732d4d7
-
SHA1
2e04c17a218c45552e3127fadb7eab45e138e83a
-
SHA256
037a3742bb8812078421e1b8e822d1e358cb3fccaa3d3fc2cd67d99d303e958f
-
SHA512
a7bf2db806a27dffc82346ca03c503f567216692698f840cc16ba544d7c3c7edf590b2941c2a3c0b38424e48479de40859d2c60b7269e5764f25c277d49544cf
-
SSDEEP
12288:/4y86ukvYbVYb3YM5YdTT6WYuazYB46A9jmP/uhu/yMS08CkntxYR3VOL:/Xdvb3YM5Nzy6fmP/UDMS08Ckn3H
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
resource yara_rule behavioral1/files/0x0007000000005c50-58.dat family_kutaki behavioral1/files/0x0007000000005c50-59.dat family_kutaki behavioral1/files/0x0007000000005c50-61.dat family_kutaki -
Executes dropped EXE 1 IoCs
pid Process 1416 wixttffk.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wixttffk.exe IncomeTaxPaymentChallan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wixttffk.exe IncomeTaxPaymentChallan.exe -
Loads dropped DLL 2 IoCs
pid Process 1612 IncomeTaxPaymentChallan.exe 1612 IncomeTaxPaymentChallan.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1612 IncomeTaxPaymentChallan.exe 1612 IncomeTaxPaymentChallan.exe 1612 IncomeTaxPaymentChallan.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe 1416 wixttffk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1612 wrote to memory of 944 1612 IncomeTaxPaymentChallan.exe 27 PID 1612 wrote to memory of 944 1612 IncomeTaxPaymentChallan.exe 27 PID 1612 wrote to memory of 944 1612 IncomeTaxPaymentChallan.exe 27 PID 1612 wrote to memory of 944 1612 IncomeTaxPaymentChallan.exe 27 PID 1612 wrote to memory of 1416 1612 IncomeTaxPaymentChallan.exe 29 PID 1612 wrote to memory of 1416 1612 IncomeTaxPaymentChallan.exe 29 PID 1612 wrote to memory of 1416 1612 IncomeTaxPaymentChallan.exe 29 PID 1612 wrote to memory of 1416 1612 IncomeTaxPaymentChallan.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\IncomeTaxPaymentChallan.exe"C:\Users\Admin\AppData\Local\Temp\IncomeTaxPaymentChallan.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:944
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wixttffk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wixttffk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1416
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD597f31e6d14a85c59b121126c5732d4d7
SHA12e04c17a218c45552e3127fadb7eab45e138e83a
SHA256037a3742bb8812078421e1b8e822d1e358cb3fccaa3d3fc2cd67d99d303e958f
SHA512a7bf2db806a27dffc82346ca03c503f567216692698f840cc16ba544d7c3c7edf590b2941c2a3c0b38424e48479de40859d2c60b7269e5764f25c277d49544cf
-
Filesize
737KB
MD597f31e6d14a85c59b121126c5732d4d7
SHA12e04c17a218c45552e3127fadb7eab45e138e83a
SHA256037a3742bb8812078421e1b8e822d1e358cb3fccaa3d3fc2cd67d99d303e958f
SHA512a7bf2db806a27dffc82346ca03c503f567216692698f840cc16ba544d7c3c7edf590b2941c2a3c0b38424e48479de40859d2c60b7269e5764f25c277d49544cf
-
Filesize
737KB
MD597f31e6d14a85c59b121126c5732d4d7
SHA12e04c17a218c45552e3127fadb7eab45e138e83a
SHA256037a3742bb8812078421e1b8e822d1e358cb3fccaa3d3fc2cd67d99d303e958f
SHA512a7bf2db806a27dffc82346ca03c503f567216692698f840cc16ba544d7c3c7edf590b2941c2a3c0b38424e48479de40859d2c60b7269e5764f25c277d49544cf