Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 15:59
Behavioral task
behavioral1
Sample
Tax Payment Challan.exe
Resource
win7-20240221-en
General
-
Target
Tax Payment Challan.exe
-
Size
617KB
-
MD5
9b719e21e56dfe22fe282fcd496d83c6
-
SHA1
f0229d661757258893ca0f0b9daf21ac52d71364
-
SHA256
314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2
-
SHA512
c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e
-
SSDEEP
12288:eFT8EyAFXYN1hP46A9jmP/uhu/yMS08CkntxYRmqL:uYlAFXqAfmP/UDMS08Ckn3A
Malware Config
Extracted
kutaki
http://linkwotowoto.club/new/two.php
Signatures
-
Kutaki Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exe family_kutaki -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 2 IoCs
Processes:
Tax Payment Challan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exe Tax Payment Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exe Tax Payment Challan.exe -
Executes dropped EXE 1 IoCs
Processes:
jsaekxfk.exepid process 2316 jsaekxfk.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid process 4196 mspaint.exe 4196 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Tax Payment Challan.exejsaekxfk.exemspaint.exepid process 368 Tax Payment Challan.exe 368 Tax Payment Challan.exe 368 Tax Payment Challan.exe 2316 jsaekxfk.exe 2316 jsaekxfk.exe 2316 jsaekxfk.exe 4196 mspaint.exe 4196 mspaint.exe 4196 mspaint.exe 4196 mspaint.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Tax Payment Challan.execmd.exedescription pid process target process PID 368 wrote to memory of 884 368 Tax Payment Challan.exe cmd.exe PID 368 wrote to memory of 884 368 Tax Payment Challan.exe cmd.exe PID 368 wrote to memory of 884 368 Tax Payment Challan.exe cmd.exe PID 368 wrote to memory of 2316 368 Tax Payment Challan.exe jsaekxfk.exe PID 368 wrote to memory of 2316 368 Tax Payment Challan.exe jsaekxfk.exe PID 368 wrote to memory of 2316 368 Tax Payment Challan.exe jsaekxfk.exe PID 884 wrote to memory of 4196 884 cmd.exe mspaint.exe PID 884 wrote to memory of 4196 884 cmd.exe mspaint.exe PID 884 wrote to memory of 4196 884 cmd.exe mspaint.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsaekxfk.exeFilesize
617KB
MD59b719e21e56dfe22fe282fcd496d83c6
SHA1f0229d661757258893ca0f0b9daf21ac52d71364
SHA256314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2
SHA512c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e