Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
04-12-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
CAJ.exe
Resource
win7-en-20211014
General
-
Target
CAJ.exe
-
Size
1.7MB
-
MD5
011d1ed32a5521504f57593bbe5a1077
-
SHA1
a94cf29b2fa5c518f4658e554225f667a23234c8
-
SHA256
2739f9d88ca7b74774c449ada327c291f79147caeb678773bab78185f5c1fb24
-
SHA512
eeed3bb9cd1376170596fef462b92379936f1dceee9ddf5dd58967145ae6e4b6b086edc54c9c2fef0a75169134875a450ff0285010bd99c148ee93a849e6f89a
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 4 IoCs
Processes:
CAJ.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" CAJ.exe -
Registers COM server for autorun 1 TTPs
-
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll acprotect -
Downloads MZ/PE file
-
Drops file in Drivers directory 35 IoCs
Processes:
CAJ.exedescription ioc process File created C:\Windows\system32\drivers\kisknl64_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetflt64.sys CAJ.exe File created C:\Windows\system32\drivers\ksskrpr.sys CAJ.exe File created C:\Windows\system32\drivers\ksapi64_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kdhacker.sys CAJ.exe File created C:\Windows\system32\drivers\kdhacker64.sys CAJ.exe File created C:\Windows\system32\drivers\kiscore.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetm64_arm.sys CAJ.exe File created C:\Windows\system32\drivers\ksapi64.sys CAJ.exe File created C:\Windows\system32\drivers\kavbootc_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetm64.sys CAJ.exe File created C:\Windows\system32\drivers\ksapi.sys CAJ.exe File created C:\Windows\system32\drivers\kusbquery.sys CAJ.exe File created C:\Windows\system32\drivers\kdhacker64_arm.sys CAJ.exe File created C:\Windows\system32\drivers\kdhacker64_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetm.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetm_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kusbquery64.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetflt64_arm.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetm64_ev.sys CAJ.exe File opened for modification C:\Windows\SysWOW64\drivers\KAVBase.sys CAJ.exe File created C:\Windows\system32\drivers\kavbootc.sys CAJ.exe File created C:\Windows\system32\drivers\kavbootc64_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kisknl.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetflt.sys CAJ.exe File created C:\Windows\system32\drivers\kisknl_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kisnetmxp.sys CAJ.exe File created C:\Windows\system32\drivers\ksapi_ev.sys CAJ.exe File opened for modification C:\Windows\system32\drivers\kavbootc.sys CAJ.exe File created C:\Windows\system32\drivers\kavbootc64.sys CAJ.exe File created C:\Windows\system32\drivers\kavbootc64_arm.sys CAJ.exe File created C:\Windows\system32\drivers\kdhacker_ev.sys CAJ.exe File created C:\Windows\system32\drivers\kisknl64_arm.sys CAJ.exe File created C:\Windows\system32\drivers\kisknl64.sys CAJ.exe File created C:\Windows\system32\drivers\ksapi64_arm.sys CAJ.exe -
Executes dropped EXE 1 IoCs
Processes:
kavlog2.exepid process 1740 kavlog2.exe -
Sets file execution options in registry 2 TTPs
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll upx -
Loads dropped DLL 10 IoCs
Processes:
CAJ.exepid process 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CAJ.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun" CAJ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
CAJ.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CAJ.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
CAJ.exedescription ioc process File opened for modification \??\PhysicalDrive0 CAJ.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CAJ.exedescription ioc process File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\youth_new.dubatheme CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdefendpop.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\lblocker.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_icon_common.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcdpt\selfdetect.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\naviconfig.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\knetworkpanel.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\pegasus.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\knewvip.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\bredirect.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\defendmon.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\config\UserInterConf.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfd5002.fsg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-rtlsupport-l1-1-0.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kislog.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\klengine.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_loan_bootopt.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_roundicon_tianmao_icon.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\config\adintercfg.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kiscore.sys CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-string-l1-1-0.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\1.jpg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_realtimeopt_green_btn2.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khcacfg.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksetupwiz.exe CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\fnsign.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\ksoft_category.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvf2002.vsg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\k2swebshield.dll.bak CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\qq_pcmgr_rcmd_subicon.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\shrink_skin_config.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\clearplugin\plugin.nlb CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\safe_business_ex.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfec008.fsg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-processthreads-l1-1-0.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-crt-environment-l1-1-0.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\skin_youth_new.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcdpt\scene\vippop.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kbootfilter.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\falset.fsg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfc002a.fsg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcommonpid.kid CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kismain.exe CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\double11_speedpop3.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_gamebox1.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfeb002.fsg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopcenter.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kspupwnd.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl64_arm.sys CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\open_url_tool_cfg.xml CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\signs.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfe5004.fsg CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_qidou.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_icon_sub.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\skin_newyear_new.png CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kismain.ini CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\lpolicy.dat CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\driver_manager.kid CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\kisfdpro64.dll CAJ.exe File created \??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_roundicon_avdr.png CAJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
Processes:
CAJ.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} CAJ.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_32bit CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\Shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment" CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ktword CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_32bit CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_32bit CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll" CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_166_287_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "vfvycdrn4xm7adhn2nlahqofiv7b" CAJ.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt CAJ.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt CAJ.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ktppt CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32 CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_32bit CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ktppt CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E} CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "C5233F9D8BABE91E38E7DB1C828E87E5" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword CAJ.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ktword CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll" CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "4accc3aec986ef1f7abd6c8900aeccd2" CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel CAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}" CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\ duba_64bit CAJ.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel CAJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32 CAJ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CAJ.exepid process 668 CAJ.exe 668 CAJ.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
CAJ.exedescription pid process Token: SeDebugPrivilege 668 CAJ.exe Token: SeDebugPrivilege 668 CAJ.exe Token: SeRestorePrivilege 668 CAJ.exe Token: SeBackupPrivilege 668 CAJ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
CAJ.exepid process 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
CAJ.exepid process 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe 668 CAJ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
CAJ.exedescription pid process target process PID 668 wrote to memory of 1740 668 CAJ.exe kavlog2.exe PID 668 wrote to memory of 1740 668 CAJ.exe kavlog2.exe PID 668 wrote to memory of 1740 668 CAJ.exe kavlog2.exe PID 668 wrote to memory of 1740 668 CAJ.exe kavlog2.exe PID 668 wrote to memory of 516 668 CAJ.exe ksoftmgr.exe PID 668 wrote to memory of 516 668 CAJ.exe ksoftmgr.exe PID 668 wrote to memory of 516 668 CAJ.exe ksoftmgr.exe PID 668 wrote to memory of 516 668 CAJ.exe ksoftmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CAJ.exe"C:\Users\Admin\AppData\Local\Temp\CAJ.exe"1⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install2⤵
- Executes dropped EXE
-
\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe"c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe" -preload2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exeMD5
c6370e05b2dc0067ae9cd7e08aefa413
SHA1a88c413373a5dadf4fb8f75525b5f1386fa06f9b
SHA256f0b532944b58c063e9635f69c022f586036421af133d864f9528284a50236298
SHA5122f5d9ae4399ae981c6d2ffdd4f2741bfa56b7ed0b12289e226448f2e1c3f469beab831d772407d3364dca98cd9026eeca838ce6bb09cb31abc28890b6ae8fcb5
-
\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dllMD5
3ffb75d40a51d96a39ba513e4d31f8a5
SHA1f8acfefc52923ae8e993fb667e55d3a7742733d8
SHA256ae84e36b6c2dcc92bc188b4eae99ccbcefcd6333bb9484485cd2fa2932431f00
SHA512e4ad5908d825c2a1d008239980610b5fc78fe5b13adfe051e370cdfe13911a926fbdcb11d6b6d426fb3506ea12b68edb4ba413789190286b046aef9402237bed
-
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exeMD5
bf6d89aab7552c0d476f8fb67b25a3f9
SHA10f1fb42c32e6e314b8e4be592c7efe66dce34b3e
SHA256543c7642f0166127ab445539130a9ebe3c1d8dfda656efc415a4367c0a097e8f
SHA512368996fd7349812f2fbab4655fd614730686f6ec284d9c1dc8544ceb7022679538c592b65c8e98abcca7c18da9a0e37d53bbe4275b52e70e8b98ce491aacc543
-
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sysMD5
44a332318c9a823b85d1f5257dcc7ad9
SHA180a6e8cbd957f5280cdc69d4b1a441aba6bc6bf6
SHA256ca615ede1d1356ac566189d4ba553f77ea074c4acb53d60b6f3144c8bfadde0c
SHA51250b733732188c4ec42684fde06e9fc266d41c51c0009935c2fa9a301d80256122e9cab08e5b765e9270aa96138870c0881548cabd8891e42baadcbe416194c20
-
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sysMD5
44a332318c9a823b85d1f5257dcc7ad9
SHA180a6e8cbd957f5280cdc69d4b1a441aba6bc6bf6
SHA256ca615ede1d1356ac566189d4ba553f77ea074c4acb53d60b6f3144c8bfadde0c
SHA51250b733732188c4ec42684fde06e9fc266d41c51c0009935c2fa9a301d80256122e9cab08e5b765e9270aa96138870c0881548cabd8891e42baadcbe416194c20
-
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sysMD5
916cb9541e41463afc49fc98b2f35ed2
SHA1d6b45a579915638ac30bfac569b409848d59ea2f
SHA256e888657b0591e3fe12a645f853cc458d91b32feed889fc6f6f9e8ab4b3160516
SHA51212e66cc1ad1f3cc99b77a71fecd6b45fd29753588d86764c3d861a12f5d828055a845afac5eb89e4b0afa7c58744641cfec4421aca1337179de36b1cfde63485
-
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sysMD5
916cb9541e41463afc49fc98b2f35ed2
SHA1d6b45a579915638ac30bfac569b409848d59ea2f
SHA256e888657b0591e3fe12a645f853cc458d91b32feed889fc6f6f9e8ab4b3160516
SHA51212e66cc1ad1f3cc99b77a71fecd6b45fd29753588d86764c3d861a12f5d828055a845afac5eb89e4b0afa7c58744641cfec4421aca1337179de36b1cfde63485
-
\Program Files (x86)\kingsoft\kingsoft antivirus\uni0nst.exeMD5
1db2018c83fe943805aa35a14f8a80bb
SHA108ac6ac1d4ee39ca40d081e777d02127ba2326f6
SHA256405d8822ada249d60efe45756b70211506184f970debed1e770eb06636cd53bb
SHA5122594daaa72e37d9cff74e3c19852bce72a478a16e8ddb0c0bd1c688c217a4eef13e3766f28fea8412e1983d9f6e78da327b43befe35a20c8a4456c11521069c9
-
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dllMD5
13ad0c8c5ad273243ed73a8e8b96ef26
SHA18129f41443fb0658a0cc07a1587ea9b663675f60
SHA2563100e880e5309f562335b6a490d66b456515023222ecea113ef956dc91afd674
SHA512bf9d707dc194fbf5040b401a265a30fa40d0aa4f5d3c1fd0178d1782a7ef95385b1cc8916ecb4ae76798a95858995b28891a2dd0e58df592b2985b22974bfce6
-
memory/668-55-0x0000000076231000-0x0000000076233000-memory.dmpFilesize
8KB
-
memory/668-56-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1740-66-0x0000000000000000-mapping.dmp