96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e

General

Target

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Size

1.6MB
MD5

10039640bf8e8bd1cf0617368bde251f
SHA1

0c59640e4744f4c20e606d9eac47b56f559eeae9
SHA256

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e
SHA512

9576a66552a09a14f817f22dbb53e5b8b2270793af1de710e4d9df703818f7fa5b656b74ca5151d39ddecd9c00ea98733dc374953f7fed07437e8336fdeec711

Score

10^/10

bootkit evasion persistence suricata trojan upx

Malware Config

Signatures

suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 16 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description	ioc	process
File created	C:\Windows\system32\drivers\kisknl64_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\ksapi_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisknl.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File opened for modification	C:\Windows\system32\drivers\kisknl.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisnetmxp.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\KAVBase.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisknl64.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisknl_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisnetm_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\ksapi.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\ksapi64_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisnetm.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisnetm64.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\kisnetm64_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\ksapi64.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	C:\Windows\system32\drivers\ksskrpr.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Executes dropped EXE 1 IoCs

Processes:

KDbCIHelper.exe

pid process

1380 KDbCIHelper.exe

pid	process
1380	KDbCIHelper.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	upx

Loads dropped DLL 3 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

pid	process
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description ioc process

File opened for modification \??\PhysicalDrive0 96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Drops file in Program Files directory 64 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description	ioc	process
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kvmpid2.kid	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\chaodijiage-taobao.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcdpt\scene\productcmpp.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\skin\theme\merry.dubatheme	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\gamemode\floatwingamemode.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwsu.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kcmppinvoker.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\krcmdui.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kxesansp.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_realtimeopt_tianmao_icon.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmd_liebaologo.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ressrc\chs\game.xml	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\system64.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ks3rdhmpg64.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\skinicon\wendujishrink_skin_img.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\share\kfxspring.gif	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_kphonehelper_small_icon_app.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_calendar_icon.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\search.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_loan_bootopt.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl64_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kxereg.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\double11_speedpop3.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\logo_player.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\floatskin\kongqizhiliang.skin	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kwhcommonpop.exe	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftpurifyengine.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\system.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\jsonv6.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kislive.exe	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_roundicon_qiangpiao.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\kae\kaecore.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\stuptswarntp.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\softicon\softicon32\index.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\netmodeconfig.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksfilter.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\ksoftmgrun.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\vinfo.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kswitch.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\kplc.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\zlib1.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\double11_sublogos2.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\haohuojingxuan-taobao.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_taobao1212_test1_sub3.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\scanctrl.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\signs.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\msvcr80.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksde\kisknl.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\computer_doctor.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2_normal_qiangpiao_sub3.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\uninstall\scan_virus.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\ksbwdt.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgrengine.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\data\rcmdv2sp01\cfg\pic\rcmdv2roundiconthemecmnicon.png	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\rcmdhelper.exe	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavevent.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kclearpanel.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetm64_ev.sys	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\khistory.ini	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\config3a.dat	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\duba123new.ico	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
File created	\??\c:\program files (x86)\kingsoft\kingsoft antivirus\adintercore.dll	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Modifies registry class 14 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "3cd1720093f45f9404b8cf4724a1a8fd"	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "8m9udb22p8x4j9w5ftcmvwcvfs2u"	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "5728A73133B43B7963AEF655735DA977"	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_0_0_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll"	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

pid	process
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description	pid	process
Token: SeDebugPrivilege	1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
Token: SeDebugPrivilege	1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

pid	process
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Suspicious use of SendNotifyMessage 63 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

pid	process
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe

description	pid	process	target process
PID 1800 wrote to memory of 1380	1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe	KDbCIHelper.exe
PID 1800 wrote to memory of 1380	1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe	KDbCIHelper.exe
PID 1800 wrote to memory of 1380	1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe	KDbCIHelper.exe
PID 1800 wrote to memory of 1380	1800	96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe	KDbCIHelper.exe

C:\Users\Admin\AppData\Local\Temp\96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe
"C:\Users\Admin\AppData\Local\Temp\96d76b78a568a67e70851821c036042e2fab663fb80c84c7beb119072b780c6e.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe
  "C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe" -release
  2⤵
  - Executes dropped EXE
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe

Filesize
270KB

MD5
6a0416c9d15d5bbfa03c85a96eadad90

SHA1
ec383f7104112d92f95c31d0e365db6dd2cd4462

SHA256
72e1f20807ed445c506d264d9da2e3687a8b2f4b503f352f1d363d7a5dce73ea

SHA512
dfbca32f535b9a39576c653ff731ce5bff087d625dfb2e4498aade783ed1faf9784dd06266a582d4e9d8218b13cf5b9bb4057e4cc3dace05646e1a26d865f3dc

Download Submit
\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe

Filesize
270KB

MD5
6a0416c9d15d5bbfa03c85a96eadad90

SHA1
ec383f7104112d92f95c31d0e365db6dd2cd4462

SHA256
72e1f20807ed445c506d264d9da2e3687a8b2f4b503f352f1d363d7a5dce73ea

SHA512
dfbca32f535b9a39576c653ff731ce5bff087d625dfb2e4498aade783ed1faf9784dd06266a582d4e9d8218b13cf5b9bb4057e4cc3dace05646e1a26d865f3dc

Download Submit
\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe

Filesize
270KB

MD5
6a0416c9d15d5bbfa03c85a96eadad90

SHA1
ec383f7104112d92f95c31d0e365db6dd2cd4462

SHA256
72e1f20807ed445c506d264d9da2e3687a8b2f4b503f352f1d363d7a5dce73ea

SHA512
dfbca32f535b9a39576c653ff731ce5bff087d625dfb2e4498aade783ed1faf9784dd06266a582d4e9d8218b13cf5b9bb4057e4cc3dace05646e1a26d865f3dc

Download Submit
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll

Filesize
36.6MB

MD5
cf20e3f69ae844fd027ce759f0aa560c

SHA1
2d5079bf74c4cdc226c605a9e82bd803ff577648

SHA256
f9cce6e4026f7be00fbf665bdc9e433baf0932ddf8bf660bcacbc61a4b44748a

SHA512
49dae81fe0b2a47c548674ec2dea8c4a9a956308daf6ee6a7448ec373ca07094e0d04cd9dc88c527778d91aa8b13ecd6045eddf60d79a8c061f9530ac1b70015

Download Submit
memory/1380-58-0x0000000000000000-mapping.dmp

Download
memory/1800-54-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads