e42a3a64b94d56ff4eb582d1d42b1cbf86f4d0cedcb15244bc818728c1eee20d

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a8a6079949624aa00e1d5bd6ec469e.exe
Size

1.3MB
MD5

02a8a6079949624aa00e1d5bd6ec469e
SHA1

5d066de909907a406d00779803fca42cb3a80718
SHA256

e42a3a64b94d56ff4eb582d1d42b1cbf86f4d0cedcb15244bc818728c1eee20d
SHA512

751842b2afc77d022873f3876d0d28ee92c555a12d767cae6cf34256423679f114beeef58087bcd8bdbea1a487fbaf82030e316c6946c7eecd700f763a991296
SSDEEP

24576:HW/F8IVEKFAldhmAjPouSNbM+tzccf94WliDwoCFyelKwrUQ8Tcjkn:4/F+dhnjPouSJM+zV4siDcblKwrh8YQ

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2156	CKSetup32.exe
2324	CKSetup64.exe
1216	Process not Found

Loads dropped DLL 17 IoCs

pid	Process
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2156	CKSetup32.exe
2156	CKSetup32.exe
2156	CKSetup32.exe
2324	CKSetup64.exe
2324	CKSetup64.exe
2324	CKSetup64.exe
2324	CKSetup64.exe
2324	CKSetup64.exe
2324	CKSetup64.exe
1216	Process not Found
2156	CKSetup32.exe
2156	CKSetup32.exe
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2468	02a8a6079949624aa00e1d5bd6ec469e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-0-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2468-88-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2468-89-0x0000000000400000-0x00000000007FD000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CKAgent_t.exe	CKSetup32.exe
File opened for modification	C:\Windows\SysWOW64\CKAgent.exe	CKSetup32.exe
File opened for modification	C:\Windows\SysWOW64\CKSetup64.exe	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\system32\CKAgent.dat	CKSetup64.exe
File opened for modification	C:\Windows\system32\CKAgent.dat	CKSetup64.exe
File opened for modification	C:\Windows\system32\JRSKD24.SYS	CKSetup64.exe
File created	C:\Windows\system32\JRSUKD25.SYS	CKSetup64.exe
File created	C:\Windows\system32\kcrtx64.sys	CKSetup64.exe
File created	C:\Windows\SysWOW64\jrsoftcp.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\SysWOW64\kcrypto.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\system32\CKAgent_t.exe	CKSetup64.exe
File opened for modification	C:\Windows\system32\CKAgent.exe	CKSetup64.exe
File created	C:\Windows\SysWOW64\CKAgent.exe	CKSetup32.exe
File created	C:\Windows\SysWOW64\TouchEnKey.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\SysWOW64\XecureCK.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File opened for modification	C:\Windows\SysWOW64\CKAgent.dat	CKSetup32.exe
File created	C:\Windows\SysWOW64\CKApp.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\SysWOW64\npKeyPro.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\SysWOW64\CKCSP.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\SysWOW64\CKSetup32.exe	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\SysWOW64\CKSetup64.exe	CKSetup32.exe
File created	C:\Windows\system32\temp_JRSKD24.SYS	CKSetup64.exe
File created	C:\Windows\SysWOW64\CKAgent.dat	CKSetup32.exe
File created	C:\Windows\SysWOW64\CKKeyProCert.dll	02a8a6079949624aa00e1d5bd6ec469e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\TouchEnKey.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\Downloaded Program Files\TouchEnKey.dll	02a8a6079949624aa00e1d5bd6ec469e.exe
File created	C:\Windows\Downloaded Program Files\TouchEnKey.inf	02a8a6079949624aa00e1d5bd6ec469e.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}\Compatibility Flags = "0"	CKSetup32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA38}	CKSetup32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Compatibility Flags = "0"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}	CKSetup32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Compatibility Flags = "0"	CKSetup32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\AppPath = "C:\\Windows\\system32"	CKSetup32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\Policy = "3"	CKSetup32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}	CKSetup32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\AppName = "CKAgent.exe"	CKSetup32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKKB.1\ = "XecureCKKB Class"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKKB	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\InprocServer32\ = "C:\\Windows\\Downloaded Program Files\\TouchEnKey.dll"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\InprocServer32\ThreadingModel = "Apartment"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\ = "XecureCKEventSink Class"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\TypeLib\Version = "1.0"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\TypeLib	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink.1	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink\ = "XecureCKEventSink Class"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\ProgID\ = "XecureCK.XecureCKEventSink.1"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\ = "IXecureCKKB"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\InprocServer32\ThreadingModel = "Apartment"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\TypeLib\ = "{6385A97F-E709-4895-A9FA-DD0F420DCAC9}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKKB\ = "XecureCKKB Class"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\VersionIndependentProgID	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}\1.0\ = "XecureCK 1.0 Type Library"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\ = "IXecureCKEventSink"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\ProxyStubClsid32	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\TypeLib	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink\CurVer	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}\1.0\0	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\TypeLib\ = "{6385A97F-E709-4895-A9FA-DD0F420DCAC9}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\TypeLib	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}\1.0\FLAGS\ = "0"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}\1.0\HELPDIR\	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\TypeLib\ = "{6385A97F-E709-4895-A9FA-DD0F420DCAC9}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKKB.1	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKKB\CLSID	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\TypeLib\ = "{6385A97F-E709-4895-A9FA-DD0F420DCAC9}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink\CLSID\ = "{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink\CurVer\ = "XecureCK.XecureCKEventSink.1"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}\1.0\FLAGS	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}\1.0\0\win32\ = "C:\\Windows\\Downloaded Program Files\\TouchEnKey.dll"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKKB.1\CLSID\ = "{6CE20149-ABE3-462E-A1B4-5B549971AA38}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\ProgID\ = "XecureCK.XecureCKKB.1"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\ = "IXecureCKKB"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink.1\CLSID	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\InprocServer32	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\InprocServer32\ = "C:\\Windows\\Downloaded Program Files\\TouchEnKey.dll"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\ProxyStubClsid32	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\VersionIndependentProgID	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink.1\CLSID\ = "{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\ = "XecureCKKB Class"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\Programmable	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6385A97F-E709-4895-A9FA-DD0F420DCAC9}\1.0\HELPDIR	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\TypeLib\Version = "1.0"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\TypeLib\ = "{6385A97F-E709-4895-A9FA-DD0F420DCAC9}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\ProgID	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\InprocServer32	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink.1\ = "XecureCKEventSink Class"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\TypeLib	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D9BB56B-46E9-4B44-B455-54F75D3258DF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\TypeLib\Version = "1.0"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{503F0D5F-2BA7-4AEA-91A4-81ABBAE980A3}\ProxyStubClsid32	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CE20149-ABE3-462E-A1B4-5B549971AA38}\VersionIndependentProgID\ = "XecureCK.XecureCKKB"	02a8a6079949624aa00e1d5bd6ec469e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XecureCK.XecureCKEventSink\CLSID	02a8a6079949624aa00e1d5bd6ec469e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80057AB5-65A5-4DF2-933F-51CFAB8E8F42}\VersionIndependentProgID\ = "XecureCK.XecureCKEventSink"	02a8a6079949624aa00e1d5bd6ec469e.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2468	02a8a6079949624aa00e1d5bd6ec469e.exe
2324	CKSetup64.exe
2156	CKSetup32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2468	02a8a6079949624aa00e1d5bd6ec469e.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2156	2468	02a8a6079949624aa00e1d5bd6ec469e.exe	28
PID 2468 wrote to memory of 2156	2468	02a8a6079949624aa00e1d5bd6ec469e.exe	28
PID 2468 wrote to memory of 2156	2468	02a8a6079949624aa00e1d5bd6ec469e.exe	28
PID 2468 wrote to memory of 2156	2468	02a8a6079949624aa00e1d5bd6ec469e.exe	28
PID 2468 wrote to memory of 2156	2468	02a8a6079949624aa00e1d5bd6ec469e.exe	28
PID 2468 wrote to memory of 2156	2468	02a8a6079949624aa00e1d5bd6ec469e.exe	28
PID 2468 wrote to memory of 2156	2468	02a8a6079949624aa00e1d5bd6ec469e.exe	28
PID 2156 wrote to memory of 2324	2156	CKSetup32.exe	29
PID 2156 wrote to memory of 2324	2156	CKSetup32.exe	29
PID 2156 wrote to memory of 2324	2156	CKSetup32.exe	29
PID 2156 wrote to memory of 2324	2156	CKSetup32.exe	29

C:\Users\Admin\AppData\Local\Temp\02a8a6079949624aa00e1d5bd6ec469e.exe
"C:\Users\Admin\AppData\Local\Temp\02a8a6079949624aa00e1d5bd6ec469e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\CKSetup32.exe
  C:\Windows\system32\CKSetup32.exe /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\CKSetup64.exe
    "C:\Windows\SysWOW64\CKSetup64.exe" /update CKAgent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CKAgent.exe

Filesize
133KB

MD5
b41cf55c72f97008a9696454fe3af490

SHA1
e91860630919a244a59e76b9ef98b4a1a1a9c365

SHA256
15a6ea7dbd57944933063231996a1346452ed46edd9730480bb980087147dae5

SHA512
f73b4e026a43128b6e71da87e917d3c2fadf902f35522176ff3e4a28f3fd1ee0c3e16d05bdc464f0cac62cb080b2f2b758b48e6c61d71cd2dfe60d4045b01d07

Download Submit
C:\Windows\SysWOW64\CKSetup32.exe

Filesize
1.1MB

MD5
56923fa7b6f2ee6c6d6e8c20c7e7d9d9

SHA1
395203bd5691eaf24b70b3edaff9dd4931026d72

SHA256
139aabfd2dd5f93e55d249cdafc09b8408724451d2497ef141c44e9fb61a23a0

SHA512
96a5bcc5d7269e43a5d08ccd6563ccf58ca3fe41d617ecb7cdfd902efbbd967c704026e2c9498a0b78281880e98dd7cff601c7b314ea9c875bf10dfffa68ab3b

Download Submit
C:\Windows\SysWOW64\CKSetup32.exe

Filesize
1.0MB

MD5
da9ad1caf987ba334ede9c8fef1056f5

SHA1
0b24e5dcc87c144767a1acc72491805561299c84

SHA256
ae4557cedced6e57366eb8048ea37050ecff067b8e6b0a6b5bf9816d4976e6af

SHA512
26d1c7bb711118cddd2d399ae7b8cfbbd259a0ac4379e932ed499234ce0d9f880f281c9c9dc63d56aec86a46556145f5f05b51db3f1b32d4a39a1a3137f21e70

Download Submit
C:\Windows\SysWOW64\CKSetup64.exe

Filesize
462KB

MD5
8aec74b31d7a560904396a9d8d9e61f5

SHA1
fb7dbef14187f421f8183abe281ebd4ca5f843fb

SHA256
69298602a398107bd37a68a344b2583e8791180a3fb486cbc70cc6b57058800f

SHA512
5c3bfed7221979a3b1865228c0f46f8e798312659bc724103f8617075f1114eddc12563ef2b0c6e44eaf55850ba87f7fbff8fb54a2d57ca4f90bebd784303455

Download Submit
C:\Windows\SysWOW64\CKSetup64.exe

Filesize
460KB

MD5
7ca09def6547bed6a4e2efd54782b8b5

SHA1
a703dc5cbcc582103bbf16924c1356a3a3ccecd7

SHA256
615a81b5581a140fbbb191b68fb3c990a4d1656c9b9d9e5daeb649d2e56971a2

SHA512
1e26e72b0430b894a2defcc64ffadf288c7866de4f405a7b3c5e377904c962f87bde538d1b9dbbc5f2077c3bae476452ee99f0bc2da0db31da7c93c54d4db45e

Download Submit
C:\Windows\System32\CKAgent.exe

Filesize
133KB

MD5
b2edd65139aa6154085f4c93eafd5e54

SHA1
8d5ac04f1726d5d3aa7c75cc20787c494b62b0b0

SHA256
d294d7168b4e70c2878e2ed9ae47f10a78b3f9985f8ad025cd4d249f1b8c41e7

SHA512
c68050294819526ca73da72618405d6b3df04ca23155114056bb084806f1902ca5b216c1413cb04cf0fd53ca940438caef53fc5c271c0c61a642ace9ceb24f05

Download Submit
\Windows\SysWOW64\CKSetup32.exe

Filesize
813KB

MD5
fb2cf97a9558dc52ae501a4e4cfa18d1

SHA1
8f31c05d7ad36d970ae96a8587859cae068b3c4e

SHA256
4dc150651ad5b6af18cfaed5b86371fd116a084ad07ade336bdecc31bd23f30d

SHA512
a248630bfe267d9092d082fc8560b8e56ef1814d66c0b02d6bc0e32d1ca3ca264c3820c329425645a1132e258689dc488f1ede26d3996ef244d35369ac97c0fe

Download Submit
\Windows\SysWOW64\CKSetup32.exe

Filesize
128KB

MD5
c6db47d948214e813e7f3c682c25d61a

SHA1
bbd9c2093590375df2a60cb4783531c7279243a2

SHA256
5db5d153a7a4dc69cc876e15e8969394ad0c8efa9459bc5845243bf16bdd68ef

SHA512
21e01d29a131df1c181b52b3d7f95070a847c08daeaa38335d30bd018909f188491722d859f65d3f3d4276cb649b8b8ee5192a6b3ae4f0546e48ca8dc40b6d31

Download Submit
\Windows\SysWOW64\CKSetup32.exe

Filesize
955KB

MD5
d8c17effd2ab214ad93b476a2fc78309

SHA1
b493492142ce97aa210aadb4ae2a6ef70e15e2ae

SHA256
7604d7aad168a911cf149a9f0744c52a72204a4612503791613d167666bfdfc8

SHA512
e5a15f5d95fa2f9cab68f070c9a23e5170aa6c082c560715a7b4839d41934ced524553ade6b00a4a787cbcae24cac63240917e7779236185ddc66f725d17067f

Download Submit
\Windows\SysWOW64\TouchEnKey.dll

Filesize
497KB

MD5
4df87b9f957b6b2c63794bf3c972ccd5

SHA1
81a1ec4b13b5e9f5dd1767dd2ae85edb1bfc302d

SHA256
cd76c403bff82c4d2142f3018d836ec8246a14cff1ff0b2a4edfe79406e8be6a

SHA512
96ed457b2209a78b384db542cb7c39f15e9aacdeae5ef9b9a6dd636096099f20d1bd12b65a186919ad872ea5430b17c5bf206a290a1678dbc25be51415174ae1

Download Submit
\Windows\SysWOW64\kcrypto.dll

Filesize
186KB

MD5
f9060327c8db272ac4bf9d52c7022ad5

SHA1
8abf59a23a05abd32616d6ecad2e196c84cee204

SHA256
2ce0479ad8d4e043bef269c58662f7a0ab9530a246176c98dbd331c2c7734237

SHA512
0e0e87f1bee1250593efd70eb6e74088e6476441f3f60240b8d27e5047e674d2fd5e9e5223aed23d2a90fabe4d03fc1d3a6af4b3218c09b7a3d608b93a6d7d79

Download Submit
\Windows\System32\JRSUKD25.SYS

Filesize
18KB

MD5
2394a1e91c924d638d496879b9b6b38e

SHA1
831ad2e722eb085fc18e585d2b6a809dc17d4c60

SHA256
98ef1ce2b6899c04b0941d56be79390cd15c622c8d0dcef3616055f8fee6bcc9

SHA512
b15f60019e485d3a311bfd4e0541dc5853170ba1f3bb753316b9ef932b8d70454a67b8493b9a07c9c5fb836c1d1d693e8e258b35adb8e19c91bc471a1b1a30f7

Download Submit
\Windows\System32\kcrtx64.sys

Filesize
138KB

MD5
b2023b8c0aca7a4ff75a69e877dfb2d4

SHA1
54009b9711af2a6ad6ebfc7e1258a1787de1a0d0

SHA256
d8628b1c2b9103f80447b28082d7e59aab1d763c740ab9c4a5269b49651a300b

SHA512
7513d39f0272100a9aba2b0616a1274b68378869c7beaea3e86aef83fb4a81282a402e6922d277237c034a27e13965660db18e189d40178f9e1668e65a80e756

Download Submit
\Windows\System32\temp_JRSKD24.SYS

Filesize
13KB

MD5
a71cded2d4e34d9471fe1a92f057a551

SHA1
154afb1b5a1b3bb1d09bcf9952e8764489aeccd3

SHA256
5355a3fd33bc5518148fc64b42323e6ab5fa2277d17e87f9a0762f00c5593346

SHA512
5461f58fd7775615fc36aba6ea71177cf6dc3e240123e14556dd922628d935a0b82af0f59a72a6671750ffc74d9921578917dc4329b8d9033f6953acbcede671

Download Submit
memory/2324-38-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2324-31-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2324-30-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2324-44-0x00000000001E0000-0x0000000000206000-memory.dmp

Filesize
152KB

Download
memory/2324-43-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2324-42-0x00000000001E0000-0x0000000000206000-memory.dmp

Filesize
152KB

Download
memory/2324-47-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2324-49-0x00000000001E0000-0x0000000000206000-memory.dmp

Filesize
152KB

Download
memory/2324-48-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2468-1-0x0000000000E70000-0x000000000126D000-memory.dmp

Filesize
4.0MB

Download
memory/2468-0-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2468-5-0x0000000000E70000-0x000000000126D000-memory.dmp

Filesize
4.0MB

Download
memory/2468-77-0x0000000010000000-0x000000001008A000-memory.dmp

Filesize
552KB

Download
memory/2468-78-0x0000000010000000-0x000000001008A000-memory.dmp

Filesize
552KB

Download
memory/2468-12-0x0000000000E70000-0x000000000126D000-memory.dmp

Filesize
4.0MB

Download
memory/2468-82-0x0000000010000000-0x000000001008A000-memory.dmp

Filesize
552KB

Download
memory/2468-84-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2468-88-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2468-89-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download