2739f9d88ca7b74774c449ada327c291f79147caeb678773bab78185f5c1fb24

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-12-2021 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CAJ.exe
Size

1.7MB
MD5

011d1ed32a5521504f57593bbe5a1077
SHA1

a94cf29b2fa5c518f4658e554225f667a23234c8
SHA256

2739f9d88ca7b74774c449ada327c291f79147caeb678773bab78185f5c1fb24
SHA512

eeed3bb9cd1376170596fef462b92379936f1dceee9ddf5dd58967145ae6e4b6b086edc54c9c2fef0a75169134875a450ff0285010bd99c148ee93a849e6f89a

Score

10^/10

bootkit discovery evasion persistence suricata trojan upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

CAJ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	CAJ.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 35 IoCs

Processes:

CAJ.exe

description	ioc	process
File created	C:\Windows\system32\drivers\kisknl64_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetflt64.sys	CAJ.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	CAJ.exe
File created	C:\Windows\system32\drivers\ksapi64_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kdhacker.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kdhacker64.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kiscore.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetm64_arm.sys	CAJ.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kavbootc_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	CAJ.exe
File created	C:\Windows\system32\drivers\ksapi.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kusbquery.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kdhacker64_arm.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kdhacker64_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetm_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kusbquery64.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetflt64_arm.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetm64_ev.sys	CAJ.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kavbootc.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kavbootc64_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisknl.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetflt.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisknl_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	CAJ.exe
File created	C:\Windows\system32\drivers\ksapi_ev.sys	CAJ.exe
File opened for modification	C:\Windows\system32\drivers\kavbootc.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kavbootc64.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kavbootc64_arm.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kdhacker_ev.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisknl64_arm.sys	CAJ.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	CAJ.exe
File created	C:\Windows\system32\drivers\ksapi64_arm.sys	CAJ.exe

Executes dropped EXE 1 IoCs

Processes:

kavlog2.exe

pid process

1740 kavlog2.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1740	kavlog2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	upx

Loads dropped DLL 10 IoCs

Processes:

CAJ.exe

pid process

668 CAJ.exe
668 CAJ.exe
668 CAJ.exe
668 CAJ.exe
668 CAJ.exe
668 CAJ.exe
668 CAJ.exe
668 CAJ.exe
668 CAJ.exe
668 CAJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CAJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxesc = "\"c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kxetray.exe\" -autorun"	CAJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

CAJ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CAJ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

CAJ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 CAJ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CAJ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CAJ.exe

Drops file in Program Files directory 64 IoCs

Processes:

CAJ.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\youth_new.dubatheme	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kdefendpop.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\lblocker.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_icon_common.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcdpt\selfdetect.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\naviconfig.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\knetworkpanel.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\pegasus.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\knewvip.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\bredirect.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\defendmon.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\config\UserInterConf.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfd5002.fsg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-rtlsupport-l1-1-0.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kislog.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\klengine.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_loan_bootopt.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_roundicon_tianmao_icon.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\config\adintercfg.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kiscore.sys	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-string-l1-1-0.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\extendimg\1.jpg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_realtimeopt_green_btn2.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khcacfg.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksetupwiz.exe	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\fnsign.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\ksoft_category.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztvf2002.vsg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\k2swebshield.dll.bak	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kswscxex.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\qq_pcmgr_rcmd_subicon.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\shrink_skin_config.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\clearplugin\plugin.nlb	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\safe_business_ex.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfec008.fsg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore_sp.xcf	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-core-processthreads-l1-1-0.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\api-ms-win-crt-environment-l1-1-0.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\skin_youth_new.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcdpt\scene\vippop.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kbootfilter.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\falset.fsg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfc002a.fsg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcommonpid.kid	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kismain.exe	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\double11_speedpop3.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_gamebox1.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\operation\cas\kfmt.datx	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfeb002.fsg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kpopcenter.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kspupwnd.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl64_arm.sys	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\open_url_tool_cfg.xml	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\signs.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksg\ztfe5004.fsg	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_qidou.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_icon_sub.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\skin_newyear_new.png	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\kismain.ini	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\lpolicy.dat	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\driver_manager.kid	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kisfdpro64.dll	CAJ.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_roundicon_avdr.png	CAJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

CAJ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	CAJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_32bit	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ThreadingModel = "Apartment"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\Shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ThreadingModel = "Apartment"	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktword	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\ = "CKavMenuShell Class"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_32bit	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ duba_32bit	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu.dll"	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_166_287_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "vfvycdrn4xm7adhn2nlahqofiv7b"	CAJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt	CAJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.000ktppt	CAJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktppt	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shellex\ContextMenuHandlers	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}\InprocServer32	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_32bit	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktppt	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ duba_32bit\ = "{D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "C5233F9D8BABE91E38E7DB1C828E87E5"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktword	CAJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ktword	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32\ = "c:\\program files (x86)\\kingsoft\\kingsoft antivirus\\kavmenu64.dll"	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "4accc3aec986ef1f7abd6c8900aeccd2"	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ktexcel	CAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ duba_64bit\ = "{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}"	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Shellex\ContextMenuHandlers\ duba_64bit	CAJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zzzktexcel	CAJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51}\InprocServer32	CAJ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CAJ.exe

pid process

668 CAJ.exe
668 CAJ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CAJ.exe

description	pid	process
Token: SeDebugPrivilege	668	CAJ.exe
Token: SeDebugPrivilege	668	CAJ.exe
Token: SeRestorePrivilege	668	CAJ.exe
Token: SeBackupPrivilege	668	CAJ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

CAJ.exe

pid	process
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

CAJ.exe

pid	process
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe
668	CAJ.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

CAJ.exe

description	pid	process	target process
PID 668 wrote to memory of 1740	668	CAJ.exe	kavlog2.exe
PID 668 wrote to memory of 1740	668	CAJ.exe	kavlog2.exe
PID 668 wrote to memory of 1740	668	CAJ.exe	kavlog2.exe
PID 668 wrote to memory of 1740	668	CAJ.exe	kavlog2.exe
PID 668 wrote to memory of 516	668	CAJ.exe	ksoftmgr.exe
PID 668 wrote to memory of 516	668	CAJ.exe	ksoftmgr.exe
PID 668 wrote to memory of 516	668	CAJ.exe	ksoftmgr.exe
PID 668 wrote to memory of 516	668	CAJ.exe	ksoftmgr.exe

C:\Users\Admin\AppData\Local\Temp\CAJ.exe
"C:\Users\Admin\AppData\Local\Temp\CAJ.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:668

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -install
2⤵
- Executes dropped EXE
PID:1740

\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
"c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe" -preload
2⤵
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
MD5
c6370e05b2dc0067ae9cd7e08aefa413

SHA1
a88c413373a5dadf4fb8f75525b5f1386fa06f9b

SHA256
f0b532944b58c063e9635f69c022f586036421af133d864f9528284a50236298

SHA512
2f5d9ae4399ae981c6d2ffdd4f2741bfa56b7ed0b12289e226448f2e1c3f469beab831d772407d3364dca98cd9026eeca838ce6bb09cb31abc28890b6ae8fcb5

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll
MD5
3ffb75d40a51d96a39ba513e4d31f8a5

SHA1
f8acfefc52923ae8e993fb667e55d3a7742733d8

SHA256
ae84e36b6c2dcc92bc188b4eae99ccbcefcd6333bb9484485cd2fa2932431f00

SHA512
e4ad5908d825c2a1d008239980610b5fc78fe5b13adfe051e370cdfe13911a926fbdcb11d6b6d426fb3506ea12b68edb4ba413789190286b046aef9402237bed

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exe
MD5
bf6d89aab7552c0d476f8fb67b25a3f9

SHA1
0f1fb42c32e6e314b8e4be592c7efe66dce34b3e

SHA256
543c7642f0166127ab445539130a9ebe3c1d8dfda656efc415a4367c0a097e8f

SHA512
368996fd7349812f2fbab4655fd614730686f6ec284d9c1dc8544ceb7022679538c592b65c8e98abcca7c18da9a0e37d53bbe4275b52e70e8b98ce491aacc543

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sys
MD5
44a332318c9a823b85d1f5257dcc7ad9

SHA1
80a6e8cbd957f5280cdc69d4b1a441aba6bc6bf6

SHA256
ca615ede1d1356ac566189d4ba553f77ea074c4acb53d60b6f3144c8bfadde0c

SHA512
50b733732188c4ec42684fde06e9fc266d41c51c0009935c2fa9a301d80256122e9cab08e5b765e9270aa96138870c0881548cabd8891e42baadcbe416194c20

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\kavbootc.sys
MD5
44a332318c9a823b85d1f5257dcc7ad9

SHA1
80a6e8cbd957f5280cdc69d4b1a441aba6bc6bf6

SHA256
ca615ede1d1356ac566189d4ba553f77ea074c4acb53d60b6f3144c8bfadde0c

SHA512
50b733732188c4ec42684fde06e9fc266d41c51c0009935c2fa9a301d80256122e9cab08e5b765e9270aa96138870c0881548cabd8891e42baadcbe416194c20

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
MD5
916cb9541e41463afc49fc98b2f35ed2

SHA1
d6b45a579915638ac30bfac569b409848d59ea2f

SHA256
e888657b0591e3fe12a645f853cc458d91b32feed889fc6f6f9e8ab4b3160516

SHA512
12e66cc1ad1f3cc99b77a71fecd6b45fd29753588d86764c3d861a12f5d828055a845afac5eb89e4b0afa7c58744641cfec4421aca1337179de36b1cfde63485

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys
MD5
916cb9541e41463afc49fc98b2f35ed2

SHA1
d6b45a579915638ac30bfac569b409848d59ea2f

SHA256
e888657b0591e3fe12a645f853cc458d91b32feed889fc6f6f9e8ab4b3160516

SHA512
12e66cc1ad1f3cc99b77a71fecd6b45fd29753588d86764c3d861a12f5d828055a845afac5eb89e4b0afa7c58744641cfec4421aca1337179de36b1cfde63485

Download Submit
\Program Files (x86)\kingsoft\kingsoft antivirus\uni0nst.exe
MD5
1db2018c83fe943805aa35a14f8a80bb

SHA1
08ac6ac1d4ee39ca40d081e777d02127ba2326f6

SHA256
405d8822ada249d60efe45756b70211506184f970debed1e770eb06636cd53bb

SHA512
2594daaa72e37d9cff74e3c19852bce72a478a16e8ddb0c0bd1c688c217a4eef13e3766f28fea8412e1983d9f6e78da327b43befe35a20c8a4456c11521069c9

Download Submit
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll
MD5
13ad0c8c5ad273243ed73a8e8b96ef26

SHA1
8129f41443fb0658a0cc07a1587ea9b663675f60

SHA256
3100e880e5309f562335b6a490d66b456515023222ecea113ef956dc91afd674

SHA512
bf9d707dc194fbf5040b401a265a30fa40d0aa4f5d3c1fd0178d1782a7ef95385b1cc8916ecb4ae76798a95858995b28891a2dd0e58df592b2985b22974bfce6

Download Submit
memory/668-55-0x0000000076231000-0x0000000076233000-memory.dmp

Filesize
8KB

Download
memory/668-56-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1740-66-0x0000000000000000-mapping.dmp

Download