Analysis
-
max time kernel
161s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
04/12/2022, 13:55
General
-
Target
Tax Payment Challan.exe
-
Size
603KB
-
MD5
1299315c3032491208ef04f8674aa5fa
-
SHA1
f320997f6f3479ef392be9f35e1f5b600f9f42f1
-
SHA256
11724aa717338d3fa58fc1c6d92cdf9b64ca986b0e2f6cde1a5d795d6277fc4c
-
SHA512
41025d5293d43d630c932d1b186c75c793cf9430222a90e02c719c2b5a436715c3298626ef1c1567f92a42e468f8abb5c053e44c38d339b1e75c5b329ed8474a
-
SSDEEP
6144:BHmz3+U3iFSMYN5Exf2o9LnIH8iN/wfGB4Dosj1E+6VVPviDlSOcwhxAwOhgYwj7:9rtZmXN4zJpGPqlSpwhm4s5bsGSCs5
Malware Config
Signatures
-
Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
-
Kutaki Executable 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603KB
MD51299315c3032491208ef04f8674aa5fa
SHA1f320997f6f3479ef392be9f35e1f5b600f9f42f1
SHA25611724aa717338d3fa58fc1c6d92cdf9b64ca986b0e2f6cde1a5d795d6277fc4c
SHA51241025d5293d43d630c932d1b186c75c793cf9430222a90e02c719c2b5a436715c3298626ef1c1567f92a42e468f8abb5c053e44c38d339b1e75c5b329ed8474a
-
Filesize
603KB
MD51299315c3032491208ef04f8674aa5fa
SHA1f320997f6f3479ef392be9f35e1f5b600f9f42f1
SHA25611724aa717338d3fa58fc1c6d92cdf9b64ca986b0e2f6cde1a5d795d6277fc4c
SHA51241025d5293d43d630c932d1b186c75c793cf9430222a90e02c719c2b5a436715c3298626ef1c1567f92a42e468f8abb5c053e44c38d339b1e75c5b329ed8474a