Analysis
-
max time kernel
121s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:03
Behavioral task
behavioral1
Sample
TDS Challan.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
TDS Challan.exe
Resource
win10v2004-20240426-en
General
-
Target
TDS Challan.exe
-
Size
740KB
-
MD5
1ba628a1b76f3a2f4133f94c7c18f91c
-
SHA1
876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
-
SHA256
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
-
SHA512
219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24
-
SSDEEP
12288:FCVVVVVVVf8g1ufKr43yABrn9AVGB7SLCY1J1kGl8V3eZsemDhkJM:FEk9n9AVG96r1/kGlVZshDhwM
Malware Config
Signatures
-
Kutaki Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mjgniech.exe family_kutaki -
Drops startup file 2 IoCs
Processes:
TDS Challan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mjgniech.exe TDS Challan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mjgniech.exe TDS Challan.exe -
Executes dropped EXE 1 IoCs
Processes:
mjgniech.exepid process 2720 mjgniech.exe -
Loads dropped DLL 2 IoCs
Processes:
TDS Challan.exepid process 2940 TDS Challan.exe 2940 TDS Challan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
TDS Challan.exemjgniech.exepid process 2940 TDS Challan.exe 2940 TDS Challan.exe 2940 TDS Challan.exe 2720 mjgniech.exe 2720 mjgniech.exe 2720 mjgniech.exe 2720 mjgniech.exe 2720 mjgniech.exe 2720 mjgniech.exe 2720 mjgniech.exe 2720 mjgniech.exe 2720 mjgniech.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
TDS Challan.exedescription pid process target process PID 2940 wrote to memory of 2580 2940 TDS Challan.exe cmd.exe PID 2940 wrote to memory of 2580 2940 TDS Challan.exe cmd.exe PID 2940 wrote to memory of 2580 2940 TDS Challan.exe cmd.exe PID 2940 wrote to memory of 2580 2940 TDS Challan.exe cmd.exe PID 2940 wrote to memory of 2720 2940 TDS Challan.exe mjgniech.exe PID 2940 wrote to memory of 2720 2940 TDS Challan.exe mjgniech.exe PID 2940 wrote to memory of 2720 2940 TDS Challan.exe mjgniech.exe PID 2940 wrote to memory of 2720 2940 TDS Challan.exe mjgniech.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mjgniech.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mjgniech.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mjgniech.exeFilesize
740KB
MD51ba628a1b76f3a2f4133f94c7c18f91c
SHA1876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
SHA256408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
SHA512219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24