005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 02:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
Size

18.7MB
MD5

b1bbf11894fda5852dcd1a624d5a6349
SHA1

b8e22e502260cb8c720429b762d0908cec38f8a0
SHA256

005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e
SHA512

6dc7ceb9f5c3372ee4a0de9354336ec73cda64e935dcb4b9a79c72a74419eb034eba5ad87126f4157ae3ea13680e6e41dc406827683c6ee4701e8ed83f89abce
SSDEEP

393216:dJg2m+fD6Qk9ah0I7ZkwdJ609cHqhjC0BF8LGUKdT:M2myw9mbZkwLL9cHQC0BF8LG3T

Score

9^/10

discovery

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015df9-20.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\ocr2txt.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\dlg\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupofd\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\add\btnRemoveHot.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\dlg\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\page\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\purchase_retain\bk.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupcad\cad2pdf_pressed.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\grouppdfcvt\image2pdf.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\list\ocr_no_text.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\more\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\page\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\usercenter\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\ucrtbase.dll	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupop\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\usercenter\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\vipmember\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\pdf2image.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\dlg\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\progress\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\shortcut\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\about\about_logo.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\list\list_btn_selected.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\list\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\system\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupocr\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\grouppdfcvt\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\progress\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\purchaseguide\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\update\png_main_bg.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\cad2image.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\feedback\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupcad\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupocr\ocr2txt.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\list\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\drop\dropshort_normal.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\dlg\dialog_btn_long_hover.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\vipmember\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\image2bmp.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\checkbox\checkbox_disable.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\usercenter\unvip\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\9\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\api-ms-win-crt-utility-l1-1-0.dll	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\more\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\api-ms-win-crt-string-l1-1-0.dll	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\close\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\dlg\popup_success_green.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\logo\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupop\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\grouppdfcvt\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\list\ic_feedback_Range.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\shortcut\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\usercenter\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\usercenter\vip\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\addfile\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\groupop\pdfsplit.png	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
File created	C:\Program Files\Kean\KeanPdfConverter\skins\png\slider\[email protected]	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe

Executes dropped EXE 4 IoCs

pid	Process
2804	KeanPdfLoader.exe
688	KeanPdfTool.exe
1096	KeanPdfUpdate.exe
1928	KeanPdfUpdate.exe

Loads dropped DLL 16 IoCs

pid	Process
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
2804	KeanPdfLoader.exe
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
688	KeanPdfTool.exe
688	KeanPdfTool.exe
688	KeanPdfTool.exe
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
1096	KeanPdfUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf	KeanPdfLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell	KeanPdfLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转Word	KeanPdfLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转图片\Icon = "C:\\Program Files\\Kean\\KeanPdfConverter\\KeanPdfMain.exe,0"	KeanPdfLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转Word\command	KeanPdfLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations	KeanPdfLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转Word\command\ = "\"C:\\Program Files\\Kean\\KeanPdfConverter\\KeanPdfMain.exe\" -2345pic -f \"%1\" \"--rightmenu=1\""	KeanPdfLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转Word\Icon = "C:\\Program Files\\Kean\\KeanPdfConverter\\KeanPdfMain.exe,0"	KeanPdfLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转图片\command	KeanPdfLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转图片	KeanPdfLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\SystemFileAssociations\.pdf\Shell\PDF转图片\command\ = "\"C:\\Program Files\\Kean\\KeanPdfConverter\\KeanPdfMain.exe\" -2345pic -f \"%1\" \"--rightmenu=4\""	KeanPdfLoader.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	KeanPdfLoader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	KeanPdfLoader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	KeanPdfLoader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	KeanPdfLoader.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
2804	KeanPdfLoader.exe
2804	KeanPdfLoader.exe
2804	KeanPdfLoader.exe
1096	KeanPdfUpdate.exe
1096	KeanPdfUpdate.exe
1928	KeanPdfUpdate.exe
1928	KeanPdfUpdate.exe
1928	KeanPdfUpdate.exe
1928	KeanPdfUpdate.exe
1096	KeanPdfUpdate.exe
1096	KeanPdfUpdate.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2804	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	28
PID 2932 wrote to memory of 2804	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	28
PID 2932 wrote to memory of 2804	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	28
PID 2932 wrote to memory of 2804	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	28
PID 2804 wrote to memory of 688	2804	KeanPdfLoader.exe	30
PID 2804 wrote to memory of 688	2804	KeanPdfLoader.exe	30
PID 2804 wrote to memory of 688	2804	KeanPdfLoader.exe	30
PID 2804 wrote to memory of 688	2804	KeanPdfLoader.exe	30
PID 2932 wrote to memory of 1096	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	31
PID 2932 wrote to memory of 1096	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	31
PID 2932 wrote to memory of 1096	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	31
PID 2932 wrote to memory of 1096	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	31
PID 2932 wrote to memory of 1096	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	31
PID 2932 wrote to memory of 1096	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	31
PID 2932 wrote to memory of 1096	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	31
PID 2932 wrote to memory of 1928	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	32
PID 2932 wrote to memory of 1928	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	32
PID 2932 wrote to memory of 1928	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	32
PID 2932 wrote to memory of 1928	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	32
PID 2932 wrote to memory of 1928	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	32
PID 2932 wrote to memory of 1928	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	32
PID 2932 wrote to memory of 1928	2932	005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe	32

C:\Users\Admin\AppData\Local\Temp\005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe
"C:\Users\Admin\AppData\Local\Temp\005cc5fcee47af9761a6d41b5789683ad454ffa416a7bd7a9d3472ddf9fc230e.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Kean\KeanPdfConverter\KeanPdfLoader.exe
  "C:\Program Files\Kean\KeanPdfConverter\KeanPdfLoader.exe" -install 132 -invoke-platform-x64
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files\Kean\KeanPdfConverter\KeanPdfTool.exe
    "C:\Program Files\Kean\KeanPdfConverter\KeanPdfTool.exe" -update-force-config -invoke-platform-x64
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:688
- C:\Program Files\Kean\KeanPdfConverter\KeanPdfUpdate.exe
  "C:\Program Files\Kean\KeanPdfConverter\KeanPdfUpdate.exe" -install -update-platform-x64
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files\Kean\KeanPdfConverter\KeanPdfUpdate.exe
  "C:\Program Files\Kean\KeanPdfConverter\KeanPdfUpdate.exe" -SendUIStatNow
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kean\KeanPdfConverter\KeanPdfMain.exe

Filesize
232KB

MD5
2d717eeb2b789be6c7cb7a761cfa7131

SHA1
e79a2fd9faf1cddce80ca675a82d6741c4d7d82c

SHA256
c6e997bb0bd36c945d6b7e27f14f9ed4a70d00ca9488b28b49ef89fae460933d

SHA512
0f408b63bfad73af215df11b7c129a1b4120002e2032c3427a37dc61fa43c41309a53dd47912d54b57a9a7a9b771e3fcdc22d7d5248460a2115d1add53857559

Download Submit
C:\Program Files\Kean\KeanPdfConverter\KeanPdfTool.exe

Filesize
669KB

MD5
06afa49d230f500680e2a4ddb7fdc163

SHA1
f5db23bb21a1822c30f983dc9d0e88f81c8cc0dc

SHA256
ac1114a4de85d5c5d237d930bc5d88f86b872671159cb81d52a76d47981ceed5

SHA512
a8ac35a91ccf75122af0150cdcc2b9a0da626ce1ddadac8603b373b78a68aa5eb55aa5ee6f629edb04cb2a9af882cb66d1c00d1a0a32bbc826292aa4648fb3be

Download Submit
C:\Program Files\Kean\KeanPdfConverter\KeanPdfUpdate.exe

Filesize
1.2MB

MD5
c2559be8d71de163107387d11936860c

SHA1
80c13faf9d8b025f0189f379b9d247eaa6bbf872

SHA256
658324a58c84b3691a567660bc9e5f8d36747fcd6606527fdb0d72c7a349561e

SHA512
d77a6573873d32309b1bf4a2a76c052f99192cc6f76e6ecb51b062151f1fe5ed5c4efd99ff270625bf4635dac6568379c60bc3ab8db1878cffe130a70501ac3f

Download Submit
C:\Program Files\Kean\KeanPdfConverter\Uninstall.exe

Filesize
1.1MB

MD5
9de6e89a7717fe43033c13f704314796

SHA1
8e5d6171a2a32331c996ce4ed253fed40ed5990c

SHA256
5c75f573421d8ab0fd96c6adcad333f7efee7d8320475074d9c642c5e77196c4

SHA512
2c398075cef2de2fe3b46f5f67ff8b47fc3ae965d7acce60719217fc9857860dc79a9590a6f0bdbe97b700c305feca59e5a234509bb7f4e3e055595b428f263e

Download Submit
C:\Program Files\Kean\KeanPdfConverter\libcurl_x86.dll

Filesize
1.3MB

MD5
503f4a85a2b1721157822ff9c567cdca

SHA1
5d68df8eeff7a8f1cb021924608ddd34d2fde98c

SHA256
7f8a994c037e365b631b71caf8dfb667517e975be507b492578a88eeff5b6f33

SHA512
dfa6a85ff7ea8b043ee7985118a8f920cf45156718cd3bc8d3fe7d007ab05e59db67d3f76b8ce971dd8748a2dd1e7e01d6a56a409b49bf7d26f64d6384b97284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C05.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7C94.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\KeanPdfConverter\Application\2.6.0.764\skins\png\purchaseguide\[email protected]

Filesize
936B

MD5
5d7c97b7d44bb8c57c658694fe0ab05a

SHA1
3328d7e734cfe6720ed8085ca512ae9ad459da44

SHA256
e2d52f1f641893a5c50396c9884194a6dbe95c2f3d3e8bcfb58809b3d8f9922e

SHA512
f1cb00428f78f9ef939789a285d49644b8b171623a33b759625d1e620b3b53ec78c3eac6f11d76a64167d503cd5feefc7e92e142cfd168c338d4b0fa52b2693d

Download Submit
C:\Users\Admin\AppData\Roaming\KeanPdfConverter\RCPDFConverter.hzc

Filesize
29B

MD5
99fb8e84b8aa92889349054a60e1f359

SHA1
1b3dd1afb4fe4533ca16db4dd3e7845c13b0e1c5

SHA256
5313e624a817ebcb34675027d12b87465de4fc4fdddfdd74d244490c4911b8e4

SHA512
2a99095109445c3ca1b9fad5c87fdfed331641401ca8d19d3ab4d109e18b9dc5feb739485f14f390bd3bcfa3a4325e3b1278fe1bb8690dd8df16edb9af52faac

Download Submit
C:\Users\Admin\AppData\Roaming\KeanPdfConverter\RCPDFConverter.stat.lock

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
\Program Files\Kean\KeanPdfConverter\KeanPdfLoader.exe

Filesize
1.2MB

MD5
7666318b10212c5ebd5803f0fbf7c1b5

SHA1
622d401aa9d5670ebc5d3520f299caea34264b2d

SHA256
651af538299cc13c453cfdc6302bcbbf9a3b63517c7b34a200f50d7410c072e4

SHA512
f4163b52510482764610989719a0a6998d0bc3a2c2b3a21966c5ca7df4d1a546dce3c0a0740db7e91a99281b404e809e0f1c812c939840559ead0d6816854108

Download Submit
\Program Files\Kean\KeanPdfConverter\KeanPdfUpdate.exe

Filesize
1.3MB

MD5
3a962fcca503fff610a83f25b5339bcc

SHA1
3e12ba9d1e83f7fce5ad960278173220790bf905

SHA256
3183642d131300b3bd8af02d7db60136a8bd6dd026e71b50fed530f3f8b2f334

SHA512
bccdfa6070313b26173aeb62ffe8b8219cc9ac0711ebbf7fd023c82282c33e166cd632827decb77800bb7ac83743313d3e7c639fce7861196e557cf23587da96

Download Submit
\Program Files\Kean\KeanPdfConverter\KeanPdfUpdate.exe

Filesize
1.4MB

MD5
62032671cb638fdb3903fddc58d67433

SHA1
cd7ee28a236cb41b572628fcf5df3b795a5ec48f

SHA256
065bec812c58cd64df982951e817803130f95efaaff3ee4b53ee31d948847c23

SHA512
2a4daf84f48c256a52da229ea84fa1f9a06d79ec570a3c5ac11effec7544a404928fcb1f32d97752da5781132ec7d05bf89ca4bd61548231b4233f32a80b73f6

Download Submit
\Program Files\Kean\KeanPdfConverter\libcurl_x86.dll

Filesize
1.1MB

MD5
ad3926b6cc783536a1ae755ed81b751e

SHA1
092d4999fcfadda1d82aeaeaa436b03d3d45257f

SHA256
8a91b5dfd1f81ba09676cc48b654399204544942c726cf046d35a93865f1b8a9

SHA512
4dc5febe68622b014c9e73175b70cd53670ea97ceee2247388b281a931d092fc8e8ae55acef57f4fe044b62f1cfcd990ff348e2787f53ce46f105bb39adcb7af

Download Submit
\Program Files\Kean\KeanPdfConverter\libcurl_x86.dll

Filesize
2.1MB

MD5
c1669e0892fe14696cba54ce5f9942a0

SHA1
617b78ecfedfab9e1053472c667029e250e75a40

SHA256
eed1556a16e8aaf9116595baabf765f5bc97bb212771ad7d35ba9bfc565f68d5

SHA512
01f7066e183029d9d2e61d7e898f861073ffe48afe5f6d3be77be3c140efbf51e0dc6ca4710a73514e430ea85b2028044c1473a0b56f6ca525fc43098dfeab4f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3F82.tmp\FileInfo.dll

Filesize
589KB

MD5
96db521a774244bbab1de9d93d2b0a64

SHA1
27c8304e4b17a5a59d414de8ef77b056609c21bc

SHA256
f79eaaa02157d6f4cd44d3282ae039ced8ac9fac964ea4d7ed7c12ca92f5833c

SHA512
b0bc0e858e0a98c9c7e3f5479249fb4f9f6a92f7680fc437950e94499fe0dff3f778a8c2f8f0dd6d5d61fd9a209817bb59d3166d1f19d9adf1ee2153e00859c3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3F82.tmp\RCWidgetPlugin.dll

Filesize
2.7MB

MD5
c8f4719f57485ede91c05335df4cc1b2

SHA1
895b4e75ee2e9f302351acb74c3c7936d32585a0

SHA256
72c2bd73e2915db5f490498f9cd4ece2f5fe2070b06d3fc7abcfce5a2fd9a101

SHA512
f8a37a969961a8299604a930f2b1834502b07baee042597d6a005ee1885a69c71e5cbc9d029209b20e8200b2e40eb4bc5b6ce865139d5ef702e2559d3bca3d09

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3F82.tmp\System.dll

Filesize
27KB

MD5
a568feaa357f44dd50c5e447fa8ee1b2

SHA1
5c765fad342b756d5ea522087c6f7567b5f3ed57

SHA256
57947a15ad3215185c7e15a5f0da393570845a13ab7b184a07fcefbf97537e48

SHA512
7c8c36c0123de839e677beeba65c1af56c5e85d8f1ff2c94950aed33e026dff3fbda8c49859012862110117977c928b814c0d91c477583a2b8f83d73f3cdf174

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3F82.tmp\libcurl_x86.dll

Filesize
2.1MB

MD5
a26e75c0407c87786eea42febdb32532

SHA1
27e52fdca023cb8f031cd55ac37965d93f7f7da7

SHA256
635f988beb849c6510f54f681387bf810c2266bd27834c5a9c160cbfe6df44d4

SHA512
fdd9760442579ad2a3df4f31464f9e66bc19a4390fa1c81afb516cce817097b5324024f712d9c1bf1a11ad30324f5a8aa83c72a732e1197e8804ab806d3859e6

Download Submit