02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/11/2023, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
Size

223KB
MD5

3f1ed476bceeca442393f5e36fa68cd8
SHA1

03a302374522db1d8b66286c53cc6b6d6089584f
SHA256

02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a
SHA512

34162a317612547bfee962d3536f42a58e6e2ed10d4c9658154e93c960608df6544222fe03d28893afd15f0fab42593be371aff2954f850afc5e3d0a67cae03c
SSDEEP

6144:KwPSUONLNsuWA7koN+boRN3i4CbRcyXLAE:KOuW5o/+Rc

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Vl3wpJ1O4.sys	ksetup.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146944"	ksetup.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	ksetup.exe

Loads dropped DLL 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000A30000-0x0000000000A9E000-memory.dmp	upx
behavioral1/memory/2344-94-0x0000000000A30000-0x0000000000A9E000-memory.dmp	upx
behavioral1/memory/2344-96-0x0000000000A30000-0x0000000000A9E000-memory.dmp	upx
behavioral1/memory/2828-99-0x0000000000970000-0x0000000000998000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\Je8gAlJ.sys	ksetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\FvP5Yu7b.sys	ksetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
680	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	ksetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	ksetup.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ksetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ksetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ksetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ksetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ksetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
Token: SeTcbPrivilege	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
Token: SeDebugPrivilege	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
Token: SeDebugPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
Token: SeDebugPrivilege	2828	ksetup.exe
Token: SeDebugPrivilege	2828	ksetup.exe
Token: SeDebugPrivilege	2828	ksetup.exe
Token: SeIncBasePriorityPrivilege	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
Token: SeDebugPrivilege	2828	ksetup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe
2828	ksetup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	ksetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1220	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	22
PID 2344 wrote to memory of 1220	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	22
PID 2344 wrote to memory of 1220	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	22
PID 2344 wrote to memory of 1220	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	22
PID 2344 wrote to memory of 1220	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	22
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2828	1220	Explorer.EXE	28
PID 2344 wrote to memory of 420	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	5
PID 2344 wrote to memory of 420	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	5
PID 2344 wrote to memory of 420	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	5
PID 2344 wrote to memory of 420	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	5
PID 2344 wrote to memory of 420	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	5
PID 2344 wrote to memory of 2920	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	31
PID 2344 wrote to memory of 2920	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	31
PID 2344 wrote to memory of 2920	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	31
PID 2344 wrote to memory of 2920	2344	02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe	31
PID 2920 wrote to memory of 680	2920	cmd.exe	33
PID 2920 wrote to memory of 680	2920	cmd.exe	33
PID 2920 wrote to memory of 680	2920	cmd.exe	33
PID 2920 wrote to memory of 680	2920	cmd.exe	33
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22
PID 2828 wrote to memory of 1220	2828	ksetup.exe	22

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe
  "C:\Users\Admin\AppData\Local\Temp\02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe"
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\02bf70831ab4e561285a6848289999767982af261d477f275fc4d77e7868509a.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:680
- C:\ProgramData\Microsoft\ksetup.exe
  "C:\ProgramData\Microsoft\ksetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ksetup.exe

Filesize
42KB

MD5
ddccdf0769cd68fee9bf5e4e57a02d9a

SHA1
e6db0ebb80f3dcf956f399036a1beeb056fd0a3e

SHA256
9a4aa2d66d39b076128768e4fdcfb4701df88f1a51e54734a2ace3359722a15c

SHA512
28a2a3fa7f999b975b40bb6ae58fd5c34a5bedf38594552e02e95b601baa8ab647a4e5c7fb0004d2ce0da37d860b79786764eb3ebbb1c4449744120e4e909995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45c5edd2b25f89762c8e52a134f11e7c

SHA1
32b42a8200af07d52772f2419434a4f4cf48b5f5

SHA256
0ae307b33482eb21383d6d3394947bb850736eb07bdb93a536671062bba01af4

SHA512
22663c682fc792e446972d031a1ae0bb7c56ba3e36f6712453c484f7fcc61aac9da15bfe5a40754a2d2e36e737fde4b2e746491047a91848bb538c769becae53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ddf1131a90ea25f802a6169b32d56aa

SHA1
69e422046984dbb6a0c75232c900ebe53f10da86

SHA256
13f26cec85ff9e17671b32b9d0dcd6522aa8e09d7edd97e1454325ce55744a74

SHA512
a0e88c861c71e422e89a63bb96122356db6728ce73fd29ebd3de79014cdd54748e10d4e166b9dd52301a8d8f0f8199f95d9101fa09d6200c70d24590ea953390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab426F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58AC.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\ProgramData\Microsoft\ksetup.exe

Filesize
42KB

MD5
ddccdf0769cd68fee9bf5e4e57a02d9a

SHA1
e6db0ebb80f3dcf956f399036a1beeb056fd0a3e

SHA256
9a4aa2d66d39b076128768e4fdcfb4701df88f1a51e54734a2ace3359722a15c

SHA512
28a2a3fa7f999b975b40bb6ae58fd5c34a5bedf38594552e02e95b601baa8ab647a4e5c7fb0004d2ce0da37d860b79786764eb3ebbb1c4449744120e4e909995

Download Submit
\ProgramData\Microsoft\ksetup.exe

Filesize
42KB

MD5
ddccdf0769cd68fee9bf5e4e57a02d9a

SHA1
e6db0ebb80f3dcf956f399036a1beeb056fd0a3e

SHA256
9a4aa2d66d39b076128768e4fdcfb4701df88f1a51e54734a2ace3359722a15c

SHA512
28a2a3fa7f999b975b40bb6ae58fd5c34a5bedf38594552e02e95b601baa8ab647a4e5c7fb0004d2ce0da37d860b79786764eb3ebbb1c4449744120e4e909995

Download Submit
memory/420-111-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/420-44-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/420-45-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/420-42-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/1220-139-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-134-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-245-0x000007FEF4660000-0x000007FEF466A000-memory.dmp

Filesize
40KB

Download
memory/1220-244-0x000007FEF6020000-0x000007FEF6163000-memory.dmp

Filesize
1.3MB

Download
memory/1220-242-0x000007FEF4660000-0x000007FEF466A000-memory.dmp

Filesize
40KB

Download
memory/1220-241-0x000007FEF6020000-0x000007FEF6163000-memory.dmp

Filesize
1.3MB

Download
memory/1220-20-0x0000000006C20000-0x0000000006D17000-memory.dmp

Filesize
988KB

Download
memory/1220-19-0x0000000006C20000-0x0000000006D17000-memory.dmp

Filesize
988KB

Download
memory/1220-18-0x0000000002AD0000-0x0000000002AD3000-memory.dmp

Filesize
12KB

Download
memory/1220-159-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-158-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-157-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-156-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-155-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-154-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-129-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-131-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-104-0x0000000006C20000-0x0000000006D17000-memory.dmp

Filesize
988KB

Download
memory/1220-132-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-133-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-135-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-136-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-137-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-138-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-17-0x0000000002AD0000-0x0000000002AD3000-memory.dmp

Filesize
12KB

Download
memory/1220-140-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-141-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-142-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-143-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-144-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-118-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-116-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-121-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-122-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-123-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-124-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-120-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-125-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-127-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-126-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-128-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-152-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-151-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-153-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-150-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-149-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-148-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-147-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-146-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1220-145-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2344-0-0x0000000000A30000-0x0000000000A9E000-memory.dmp

Filesize
440KB

Download
memory/2344-94-0x0000000000A30000-0x0000000000A9E000-memory.dmp

Filesize
440KB

Download
memory/2344-96-0x0000000000A30000-0x0000000000A9E000-memory.dmp

Filesize
440KB

Download
memory/2828-109-0x0000000003A70000-0x0000000003B10000-memory.dmp

Filesize
640KB

Download
memory/2828-101-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-113-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-110-0x0000000003A70000-0x0000000003B10000-memory.dmp

Filesize
640KB

Download
memory/2828-119-0x00000000021E0000-0x00000000021E5000-memory.dmp

Filesize
20KB

Download
memory/2828-38-0x0000000001CC0000-0x0000000001D8B000-memory.dmp

Filesize
812KB

Download
memory/2828-108-0x00000000025C0000-0x00000000025CF000-memory.dmp

Filesize
60KB

Download
memory/2828-107-0x0000000001CC0000-0x0000000001D8B000-memory.dmp

Filesize
812KB

Download
memory/2828-105-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-106-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-103-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-130-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2828-102-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-112-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-100-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/2828-99-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/2828-97-0x0000000037BE0000-0x0000000037BF0000-memory.dmp

Filesize
64KB

Download
memory/2828-115-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/2828-117-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/2828-178-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2828-179-0x0000000003A70000-0x0000000003B10000-memory.dmp

Filesize
640KB

Download
memory/2828-180-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2828-27-0x00000000000D0000-0x0000000000193000-memory.dmp

Filesize
780KB

Download
memory/2828-28-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2828-243-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2828-34-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2828-40-0x000007FEBEDE0000-0x000007FEBEDF0000-memory.dmp

Filesize
64KB

Download