kutaki | hxxp://adityanskinclinic[.]com/Tax%20Payment%20Challan[.]zip

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2023 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://adityanskinclinic.com/Tax%20Payment%20Challan.zip

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newbosslink.xyz/baba/new4.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe	family_kutaki

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

Tax Payment Challan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe	Tax Payment Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe	Tax Payment Challan.exe

Executes dropped EXE 1 IoCs

Processes:

rfbjuyfk.exe

pid process

3304 rfbjuyfk.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3304	rfbjuyfk.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Taskmgr.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe

Modifies registry class 3 IoCs

Processes:

firefox.execmd.exeTaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	Taskmgr.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Tax Payment Challan.zip:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Tax Payment Challan.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mspaint.exeTaskmgr.exe

pid	process
4224	mspaint.exe
4224	mspaint.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Taskmgr.exe

pid process

5692 Taskmgr.exe

pid	process
5692	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

firefox.exeTaskmgr.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1280	firefox.exe
Token: SeDebugPrivilege	1280	firefox.exe
Token: SeDebugPrivilege	1280	firefox.exe
Token: SeDebugPrivilege	5692	Taskmgr.exe
Token: SeSystemProfilePrivilege	5692	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5692	Taskmgr.exe
Token: SeSecurityPrivilege	5692	Taskmgr.exe
Token: SeTakeOwnershipPrivilege	5692	Taskmgr.exe
Token: SeBackupPrivilege	5492	svchost.exe
Token: SeRestorePrivilege	5492	svchost.exe
Token: SeSecurityPrivilege	5492	svchost.exe
Token: SeTakeOwnershipPrivilege	5492	svchost.exe
Token: 35	5492	svchost.exe
Token: SeDebugPrivilege	1280	firefox.exe
Token: SeDebugPrivilege	1280	firefox.exe
Token: SeDebugPrivilege	1280	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exemspaint.exeTaskmgr.exe

pid	process
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
4224	mspaint.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exeTaskmgr.exe

pid	process
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe
5692	Taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

firefox.exeTax Payment Challan.exerfbjuyfk.exemspaint.exe

pid	process
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
1280	firefox.exe
1216	Tax Payment Challan.exe
1216	Tax Payment Challan.exe
1216	Tax Payment Challan.exe
3304	rfbjuyfk.exe
3304	rfbjuyfk.exe
3304	rfbjuyfk.exe
4224	mspaint.exe
4224	mspaint.exe
4224	mspaint.exe
4224	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1280	5016	firefox.exe	firefox.exe
PID 1280 wrote to memory of 4876	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 4876	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 1744	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 4232	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 4232	1280	firefox.exe	firefox.exe
PID 1280 wrote to memory of 4232	1280	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://adityanskinclinic.com/Tax%20Payment%20Challan.zip
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" http://adityanskinclinic.com/Tax%20Payment%20Challan.zip
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1280.0.170580312\859969258" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d6a7ec8-05bf-4215-9def-4ff28cb20b29} 1280 "\\.\pipe\gecko-crash-server-pipe.1280" 1936 19a24f0a858 gpu
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1280.1.1255717144\2131140552" -parentBuildID 20221007134813 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d0f716e-0c8e-41a3-b847-dec220034abe} 1280 "\\.\pipe\gecko-crash-server-pipe.1280" 2444 19a16f6fe58 socket
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1280.2.498795284\58363206" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 2904 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf44336-e80a-4ba9-b698-448dadf248b3} 1280 "\\.\pipe\gecko-crash-server-pipe.1280" 3132 19a23e90a58 tab
    3⤵
    PID:4232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1280.3.2045272049\569981856" -childID 2 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4be3695b-0629-4b0d-b1f4-fd5f0a955b0d} 1280 "\\.\pipe\gecko-crash-server-pipe.1280" 4040 19a29407058 tab
    3⤵
    PID:392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1280.4.1333435766\1483911379" -childID 3 -isForBrowser -prefsHandle 4804 -prefMapHandle 4796 -prefsLen 26793 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d852f85a-a00d-4296-a659-7ecee56be642} 1280 "\\.\pipe\gecko-crash-server-pipe.1280" 4632 19a2a3e0858 tab
    3⤵
    PID:2272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1280.5.684997066\1860880065" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 26793 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a26d37c-00e0-4975-a4cb-162a3ad4b015} 1280 "\\.\pipe\gecko-crash-server-pipe.1280" 5172 19a2a3de458 tab
    3⤵
    PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1280.6.148692944\1866146369" -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5336 -prefsLen 26793 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2fd7bc9-5952-4f1e-bdc1-eeb6c1ea6948} 1280 "\\.\pipe\gecko-crash-server-pipe.1280" 5360 19a2a3df058 tab
    3⤵
    PID:4040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\Tax Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Tax Payment Challan.zip\Tax Payment Challan.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapimage.bmp
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3312
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapimage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3912

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
PID:5644
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
155KB

MD5
5edc8ed18593682c234eb9b7112328fd

SHA1
100a65dd79a3b7c41197c740ec8484c19b197169

SHA256
c57bfbadeed3cd72183a164b3110f8e0149192ce3ff324f62597098026d77953

SHA512
4268ecd5dad6629b1f08b023354fb0a336800160eaaa6c667777a5eb8c36c7c7e8f2a470043873cf42df0d18d56dc3da36d2a156e8bf258feeef42cc47cdc5ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe

Filesize
501KB

MD5
75ba34d3cf722b48c29b199ec232a706

SHA1
50a9f62b941c7511e83051cf04f45a99216e16b7

SHA256
4fb861867bfc9838550f099d4be6992347f9a192ee9268e8cd869c836f09fec6

SHA512
e420156a5ddebdae77265a235f0d351e56cb5d4da24024f24e1dc6811b8c75e0ee7d1b39bc25a114169b02e9de165df82fac92a9ff0bfb61d4d31c51f72d3a16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfbjuyfk.exe

Filesize
501KB

MD5
75ba34d3cf722b48c29b199ec232a706

SHA1
50a9f62b941c7511e83051cf04f45a99216e16b7

SHA256
4fb861867bfc9838550f099d4be6992347f9a192ee9268e8cd869c836f09fec6

SHA512
e420156a5ddebdae77265a235f0d351e56cb5d4da24024f24e1dc6811b8c75e0ee7d1b39bc25a114169b02e9de165df82fac92a9ff0bfb61d4d31c51f72d3a16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
0943e7811c41a8ac0ab07b496f8326e6

SHA1
7cd0a4d547a0e8d0c31fe1492024efde467746d9

SHA256
71d7cf2bb8c35e7ed5cfb94d4fad188fb4434ecc8c4edfaa246687f07bc06a5c

SHA512
7bd74d9fee0f189a070ea71745a5c040b81ac4f13f16c139333e631425ff1c2452d7357747b2045f63a1a8213ea12b7228e610ace3c881c3d8b934e55badc4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
42836ef6af350b58aebd7e6608ad703e

SHA1
0ba31762d7c29732d5b9e2384a8758fd207acc61

SHA256
0b4a43454065ea48b5ecb531ca0f0884b439d3d0593956bb1f9f484481c638a5

SHA512
304127bdb3805e821be4fc1f2d41d808bd33eec0be0ffdcfc26dba77bfc4185fd56e6c29a67b857a62db9526c7cd6a75b9f4863dde5e4e43431affef770b13e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
ed7db2dd44ca045dd768e79bda24e8cb

SHA1
63091efa77e6888d7e0848e12130f1b591ab46c3

SHA256
fb43fbd3ab9ad179e83eb4cdb6eb4418825aa6c69e0cd9c404273a9286810ce6

SHA512
f02c72712c4e9fa7a29758bfeb73130081af46a314ad329a44a83cde9714b18a2ebc11a98055859e7325fcbc6351f40c25dc50713f4282d6bdae421e52721615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
7dfd1e0b1e7b93eb1c59b5461c43255b

SHA1
c0d91fbb4548025a9bd5bec10ba6c548661d1a41

SHA256
7832f259ebfe121bc68c53532a980fff1e71a319b5b0424b082f67293940ce2b

SHA512
ec354cff4b7d6b7e4aecd2520eed495fd8d9b0fffec221bd07fcbb6612a406894cab76e5790fb07ba6bfeca8b49cb22e3013fe9a8b9caf439d58b9ff92aef3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js

Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
14c9c0f2b70c7953add1a9cf41ac0b48

SHA1
92150a40c9bf197da17501dfb2a3d4d3e69018c2

SHA256
f1ecec8eae0411be55f154aba2dd7864f7cc46561a727f5a785902304f8103cd

SHA512
3de4ec2755823a351a00a5e566aa649da1cc93f391dcd57830a6e3f0902164b1293f5ac70c80e419beeee84352701ba6bc996bc197597128d1882ec39a081972

Download Submit
C:\Users\Admin\Downloads\Tax Payment Challan.5MUxvd5X.zip.part

Filesize
13KB

MD5
bc4271b3519e49ebe90a2a110edb76e2

SHA1
b5892fd90755062d095c1a05a5234d49b041a235

SHA256
8d5312476e5c9e589ab9d02699689f394cd13845adffb088c4059bb5f710372a

SHA512
08d20e251054814a28095cde564e3741a7fa261afdd2833db7f89e07e457336614ee6dc58d63bb823345394a7c71c8959776b4eee10cc43bdaaa3b811a10cc3c

Download Submit
memory/5692-410-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-418-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-419-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-420-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-421-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-423-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-424-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-422-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-411-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-512-0x000002C936D00000-0x000002C936EA9000-memory.dmp

Filesize
1.7MB

Download
memory/5692-409-0x000002C9393A0000-0x000002C9393A1000-memory.dmp

Filesize
4KB

Download
memory/5692-1190-0x000002C93A140000-0x000002C93A150000-memory.dmp

Filesize
64KB

Download
memory/5692-1196-0x000002C93A1A0000-0x000002C93A1B0000-memory.dmp

Filesize
64KB

Download