kutaki | hxxps://kahkecioglu[.]com/assets/images/INCOME_TAX_CHALLAN[.]zip

Analysis

max time kernel
358s
max time network
356s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kahkecioglu.com/assets/images/INCOME_TAX_CHALLAN.zip

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://waaatlink.xyz/hello/son.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe	INCOME_TAX_CHALLAN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe	INCOME_TAX_CHALLAN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe	INCOME_TAX_CHALLAN.exe

Executes dropped EXE 3 IoCs

pid	Process
1260	INCOME_TAX_CHALLAN.exe
4452	qnuusafk.exe
1976	INCOME_TAX_CHALLAN.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3096	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133243788649478520"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeRestorePrivilege	1760	7zG.exe
Token: 35	1760	7zG.exe
Token: SeSecurityPrivilege	1760	7zG.exe
Token: SeSecurityPrivilege	1760	7zG.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
1760	7zG.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1260	INCOME_TAX_CHALLAN.exe
1260	INCOME_TAX_CHALLAN.exe
1260	INCOME_TAX_CHALLAN.exe
4452	qnuusafk.exe
4452	qnuusafk.exe
4452	qnuusafk.exe
1976	INCOME_TAX_CHALLAN.exe
1976	INCOME_TAX_CHALLAN.exe
1976	INCOME_TAX_CHALLAN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2548	2788	chrome.exe	66
PID 2788 wrote to memory of 2548	2788	chrome.exe	66
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 4708	2788	chrome.exe	69
PID 2788 wrote to memory of 5020	2788	chrome.exe	68
PID 2788 wrote to memory of 5020	2788	chrome.exe	68
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70
PID 2788 wrote to memory of 4628	2788	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://kahkecioglu.com/assets/images/INCOME_TAX_CHALLAN.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd73189758,0x7ffd73189768,0x7ffd73189778
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:2
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1828 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5416 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2368 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2412 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5804 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5848 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4336 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5996 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5492 --field-trial-handle=1800,i,7253204304137546527,9738664061154808391,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\" -spe -an -ai#7zMap20063:98:7zEvent958
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1760

C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\INCOME_TAX_CHALLAN.exe
"C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\INCOME_TAX_CHALLAN.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4452

C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\INCOME_TAX_CHALLAN.exe
"C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\INCOME_TAX_CHALLAN.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:5104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im qnuusafk.exe /f
  2⤵
  - Kills process with taskkill
  PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
162KB

MD5
4043af37a3392a9db521ff9ab62d9608

SHA1
83828688e7a2259ed2f77345851a16122383b422

SHA256
ee076822f35390ee382cda71759a2eec8f4db2bc18e4e3acd586173c29dab321

SHA512
97a9d37ec02796cbca922559f384e1632c249d9955022578c14e046f2bfd9f84db113cf55899cfcf63fd318fbee050f483d04ae3156220ff2f0d364f989e680a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
ff7e1ac347b67c47e8c4f6500a6a2c02

SHA1
8d34d470a9710bad7f273970a04d8b531ea112d6

SHA256
120be09d7b746f054edfe16a65234d4d312f926ae1d334020d33fa4a54b3dbd1

SHA512
4a099ed4bcc3501f3efdc1ed42554deaddc67d21f1ad675fd5409ba46c4e4e20c28f1521e923e66fd9c0b508f010d714ad2e90fbfc4e73b547a928b4db80c62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
3d18bfc3ddc1d366c345841bfc0a26d7

SHA1
84f8f77a58cb67c00b25bd2814f1e8bc88a992aa

SHA256
5bff5267311c508abf0c8ec2b01f3e3193fa415692c0cb96a00a7d9fb95e6648

SHA512
751a86a0f214da11af2dd67f764097fe7b31c1b55cb2401927264951d576cf2ee37535425e0d23bf5764a7d16feea114c6de65b9dd0eb3a31394c07874db9508

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c142e9377a63e75e322229609b38af36

SHA1
b264cadd4ba55513894dbcad679b0c14d28999a5

SHA256
0f19ded920fad63b893a45fdaaa6bf05543dea770e28dc55940c00e8c34f7fd2

SHA512
3a0bf4e5a0496deefdd5965407a89db29c2c616a6a44e24d48164a9c734c63d3e5a5eaeef0e9d86eefb9fe20944eaa234594dd80c4b0dee59c7756ae4b623f44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cb0bb2bab839397401d9d711645a3e31

SHA1
7d4defb5a9b61ff4d9a9fc66e0fef29adce875e0

SHA256
40f3a3ce8e2814d24fac1716c769bbafe91eef42c840220199d123658c6f62bc

SHA512
8c2d8a52d10361b9da06505876d7d308aaaa2706938fd35bc02f79775985a52a60962fa1cf6aca256c01cd91b2d527acff95fa89e5c17366a7879476561303cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3b8ece2e6beec9675620ec6f0b0a31ec

SHA1
bf887c12906d7763ce65f324a4d61a04989b3377

SHA256
8dea1e7c1604723e291af09904c14a1e626b452a113229b0aa478b1f57a5a28f

SHA512
c9e8a8b88bef970d5b86a2f445e79d2063c550fab437431721f6bd6a142f4632260536d59df1bf2687bc0ecc94f8fa2c81d2181e964eeb4e5c64f526bc320989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
a5fff71310d2292ce785de3e9b74f5e6

SHA1
0b967d521e138b9acee6532511db94bd6fc098ef

SHA256
c2d16b895da2d85082ae15db01e72a56aea9d2fa0c8a766c03ec697724204146

SHA512
d960cc3dc0572fb26791383a8106dee8b6f7ae0f4ae0f08bfe2c02b092d97153d35f6f5bea629ffcd948598d58551287830269b83930bfd9c44a879d2f155283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8d20e92b0c61b1b6343c212466192e7d

SHA1
8bc272b606efa72f576b67579c47f23e13deb4d9

SHA256
3ce71feb711d3bd0c74ef8f4a550a9bf7162d37935acda44466623d7ad15539d

SHA512
74f5cc9cd31a6447f5d65f56c313dd80d89032eb17022ceaa448792eb8a2dbec951fc2e28c949ff647987149bd3a2b260e77cdb26524a6b4a8a15dc2de2366d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
97b8fbd362c86c45a57f956ee0a6cf94

SHA1
06cb3a0483470051b7d5986eacc358795b6896dc

SHA256
89eb8f332d3300599af0bea80d83527497e22298e8c997c80ea49288b435969e

SHA512
30ceef622f7a62e9c8a1cc51e2c46216ed9ceb3c0acdbec2f70d97f1afcf466ec09176b1064332e32cce269d788db9824185221955f090d7ddae770e791415c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6fc523aa55bb5f882e6f119098ac1845

SHA1
d34cc083826dd8c30f15ade6343126435bca86ae

SHA256
01dc873d5fea8d440508e2ca4865ba05270c62f5dbe19cd46373a123c21f8eec

SHA512
dc841cbffde04df3c694f41ed3e24b73fd51b4dc8fb62c1f221892efaddf9e3a7b93d2dcbc357c83b40087ca1aef1c7d9773bb9d92ce755435b22ea021cb7055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0e27612aa9a2e8382d40cd83ae02006d

SHA1
569424de83874e52aecbe11633176085edd5182c

SHA256
3f3b59a30f62010538bfdccde2f94b681fe2a69c74cdb7e3d4b97fa6e14161a3

SHA512
bca55cbf7f1637a8d8d9211f5b4366155952a80ee6196371f1c049a48393530d37ff971f9b3254dcdf39a381f64584f31f34fc8ed82778b3c54a0701cd5742a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
04a900d7494a31b40c0edd1325888483

SHA1
8efe8cd32b8ea4eea7158cf55e1d25c327addfda

SHA256
a84bccc053358184598c959997014e17588395955612791263a81e78b0d898d2

SHA512
0e25127bcb91be94826e179fe4af52b489ce4552aea63a8e1972a660899d76a83401323768d91ffd4cabc422f2badf886c21c86030a8ea9c178ffa6847260b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1358b2b7439c78f4c9d6170b9ebcfd3a

SHA1
972a164e209aaf2789a38c2e106a4e966d58d325

SHA256
0a49d4e3366c14e770bf0a13c827bb4dc328fdde85a982e022b487f9aefebc58

SHA512
aab7841d7179e86cc1ba943f442dee7df6df6b2bd377d2334dc96dc30d86a88bede958bb9af434eff0d0a644371e0bd86ad9430ed64f66f538c1e99170322576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582277.TMP

Filesize
48B

MD5
c1bdb3bc556b930e5f39f56e329706aa

SHA1
5e971ba25a36e0ae8ad91309ea66637867d4b683

SHA256
193edd182419133c2ed3aea0bdf893840addfdd4c8940b3884e5cd2a1739c304

SHA512
dc8de623efe8c2be1672f3143fe1afb0237d731af4367c7b963a57c3812d12e251963c4688e17ae8c59915731f0459a4b1c5ac489ed22b9836344865dee0219d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
4b75416c6c3118ac236200e495b6d279

SHA1
322ed8661de309341c4ab2017d35d87bdd876cea

SHA256
77ef80cae605db1569330a2897e6d3704b37d13c4bfebc0d6a5f0fb675c5191f

SHA512
0904a68047ecfa6f0b41ec8531faadc68a722f493b40ab0e058d4d0fe6b4b1f8e3e99d2c613df642e5e6f0807777569f21beec8562f21892e4310dfa025f2e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
f79e87ab3ff2c4cb9723ef3db53bf37f

SHA1
a1fe4b588cbe88623d907a86b8fba466c86d5180

SHA256
8787cfd13df3ea18cfab11258df8a12fcf513890590d335662633d3e0df813d8

SHA512
cf22817b1f0af78a1c96b2bc012244a5465f1bbb2d5a105d0692aca4c1387bb2bc2f7f31de53341ff2e9ba9d7e5109cf17b06270b74a103a1903c348fe13fad4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
7fdcdc40a6e3ca694006db2f6d3ffa1e

SHA1
fa6d09bcc188f5eb1b44c6b63777009a21cde98c

SHA256
802616c477093d3a993290a1af166df66063ccdc6960c445d85eb0cbaf96346b

SHA512
bb8c5e831c327e8fab3af2faff061028df28fc7c7dd177cba4a3d44747f245e28c2e565964ae4d5edf62868e44350bae86ba057592777afcf4ff83c317368ac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\480JMPRZ\NewErrorPageTemplate[2]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\480JMPRZ\dnserrordiagoff[1]

Filesize
1KB

MD5
7e81a79f38695e467a49ee41dd24146d

SHA1
035e110c36bf3072525b05394f73d1ba54d0d316

SHA256
a705d1e0916a79b0d6e60c41a9ce301ed95b3fc00e927f940ab27061c208a536

SHA512
53c5f2f2b9ad8b555f9ae6644941cf2016108e803ea6ab2c7418e31e66874dea5a2bc04be0fa9766e7206617879520e730e9e3e0de136bae886c2e786082d622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6CI3IN3W\errorPageStrings[2]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe

Filesize
3.2MB

MD5
fb8892f83ca114ba1dfde99282f3f3e4

SHA1
3816c65febbfa310cc345b894710e254814e5427

SHA256
ae2e58b0560f5140d3e0d34fda15eedacb70e694542cc7f242d5eaec9c48f27b

SHA512
e94692defb04e5fdf1b9c4e03d70983458f510ce91c31914e83f1476db371c7957668623ee76333953022cd95af55a954fdab4773ad72f1e5ebd34eff49fb7ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe

Filesize
3.2MB

MD5
fb8892f83ca114ba1dfde99282f3f3e4

SHA1
3816c65febbfa310cc345b894710e254814e5427

SHA256
ae2e58b0560f5140d3e0d34fda15eedacb70e694542cc7f242d5eaec9c48f27b

SHA512
e94692defb04e5fdf1b9c4e03d70983458f510ce91c31914e83f1476db371c7957668623ee76333953022cd95af55a954fdab4773ad72f1e5ebd34eff49fb7ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qnuusafk.exe

Filesize
3.2MB

MD5
fb8892f83ca114ba1dfde99282f3f3e4

SHA1
3816c65febbfa310cc345b894710e254814e5427

SHA256
ae2e58b0560f5140d3e0d34fda15eedacb70e694542cc7f242d5eaec9c48f27b

SHA512
e94692defb04e5fdf1b9c4e03d70983458f510ce91c31914e83f1476db371c7957668623ee76333953022cd95af55a954fdab4773ad72f1e5ebd34eff49fb7ad

Download Submit
C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN.zip

Filesize
1.0MB

MD5
1909d054dc7db84c31d7db78c2709d5a

SHA1
be699c4f4c396ff75505ec15fd2e4c56c5ef4a1a

SHA256
2a4b29f18db664b341b5906f4b47afc88977144391040af21f76e79aae89fa6d

SHA512
b05bfc291c2e0419c47d171d5c7a6247b4532aadf3e7dcedab2a3c940532afeb4e4df1ab0112a02d8a3ccb98085138900f87a18a51ce3d9e226cf6369aca05c1

Download Submit
C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN.zip.crdownload

Filesize
1.0MB

MD5
1909d054dc7db84c31d7db78c2709d5a

SHA1
be699c4f4c396ff75505ec15fd2e4c56c5ef4a1a

SHA256
2a4b29f18db664b341b5906f4b47afc88977144391040af21f76e79aae89fa6d

SHA512
b05bfc291c2e0419c47d171d5c7a6247b4532aadf3e7dcedab2a3c940532afeb4e4df1ab0112a02d8a3ccb98085138900f87a18a51ce3d9e226cf6369aca05c1

Download Submit
C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\INCOME_TAX_CHALLAN.exe

Filesize
3.2MB

MD5
fb8892f83ca114ba1dfde99282f3f3e4

SHA1
3816c65febbfa310cc345b894710e254814e5427

SHA256
ae2e58b0560f5140d3e0d34fda15eedacb70e694542cc7f242d5eaec9c48f27b

SHA512
e94692defb04e5fdf1b9c4e03d70983458f510ce91c31914e83f1476db371c7957668623ee76333953022cd95af55a954fdab4773ad72f1e5ebd34eff49fb7ad

Download Submit
C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\INCOME_TAX_CHALLAN.exe

Filesize
3.2MB

MD5
fb8892f83ca114ba1dfde99282f3f3e4

SHA1
3816c65febbfa310cc345b894710e254814e5427

SHA256
ae2e58b0560f5140d3e0d34fda15eedacb70e694542cc7f242d5eaec9c48f27b

SHA512
e94692defb04e5fdf1b9c4e03d70983458f510ce91c31914e83f1476db371c7957668623ee76333953022cd95af55a954fdab4773ad72f1e5ebd34eff49fb7ad

Download Submit
C:\Users\Admin\Downloads\INCOME_TAX_CHALLAN\INCOME_TAX_CHALLAN.exe

Filesize
3.2MB

MD5
fb8892f83ca114ba1dfde99282f3f3e4

SHA1
3816c65febbfa310cc345b894710e254814e5427

SHA256
ae2e58b0560f5140d3e0d34fda15eedacb70e694542cc7f242d5eaec9c48f27b

SHA512
e94692defb04e5fdf1b9c4e03d70983458f510ce91c31914e83f1476db371c7957668623ee76333953022cd95af55a954fdab4773ad72f1e5ebd34eff49fb7ad

Download Submit