3c5af1a894a355a2f50206ac5923d084166e3debc6e1cf417f3393b46480b39c

Analysis

max time kernel
247s
max time network
258s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/04/2024, 21:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

kontur.plugin.admin.exe
Size

6.8MB
MD5

46737af4e83641478d92673b628f9c1d
SHA1

fc430ccc59ad619f9515e698539d17d0204fb9d3
SHA256

3c5af1a894a355a2f50206ac5923d084166e3debc6e1cf417f3393b46480b39c
SHA512

c60409832f63693cf61616a3865098a9efdf2affba662baf7c1b620e1b2529efc7a5124db2f9d147507cdfb36691b92c2f92cfcc17353ad12ead8a7327a250cf
SSDEEP

196608:J6S778UHVROrhCIjXXoKkqYbGXZKk3POHdM:J86rOrbHoK7iEKc+m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4700	pkcs11check.exe
316	pkcs11check.exe
4468	pkcs11check.exe
3088	pkcs11check.exe
804	pkcs11check.exe
1920	pkcs11check.exe

Loads dropped DLL 18 IoCs

pid	Process
1888	kontur.plugin.admin.exe
1888	kontur.plugin.admin.exe
1888	kontur.plugin.admin.exe
1888	kontur.plugin.admin.exe
1888	kontur.plugin.admin.exe
4700	pkcs11check.exe
1888	kontur.plugin.admin.exe
1888	kontur.plugin.admin.exe
4468	pkcs11check.exe
1380	kontur.plugin.admin.exe
1380	kontur.plugin.admin.exe
1380	kontur.plugin.admin.exe
1380	kontur.plugin.admin.exe
1380	kontur.plugin.admin.exe
3088	pkcs11check.exe
1380	kontur.plugin.admin.exe
1380	kontur.plugin.admin.exe
1920	pkcs11check.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jckt2.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\icon.ico	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\addons\kontur.plugin.service.control.exe	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcpkcs11-2.dll	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\manifest.json	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\manifest.json	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcverify.txt	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\plugin.rtpkcs11ecp.dll	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\Kontur.Plugin.IE.dll	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\ff_manifest.json	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\ff_manifest.json	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\kontur.plugin.host.exe	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jcverify.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\icon.ico	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jcPKCS11-2.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.firefox.dll	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\icon.ico	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\uninstaller.exe	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jckt2.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\uninstaller.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jckt2.txt	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\rtpkcs11ecp.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcpkcs11-2.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.firefox.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.host.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\addons\kontur.plugin.service.control.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.ie.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\manifest.json	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jckt2.txt	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\plugin.rtpkcs11ecp.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\addons\kontur.plugin.service.control.exe	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\ff_manifest.json	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcverify.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jcverify.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jckt2.txt	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\uninstaller.exe	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\manifest.json	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jcverify.txt	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcverify.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\kontur.plugin.host.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\icon.ico	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.host.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcverify.txt	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\uninstaller.exe	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\addons\kontur.plugin.service.control.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.ie.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jckt2.dll	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11check.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\kontur.plugin.firefox.dll	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jckt2.txt	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\ff_manifest.json	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\kontur.plugin.firefox.dll	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jcPKCS11-2.dll	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jckt2.dll	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\install.log	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11check.exe	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jcverify.txt	kontur.plugin.admin.exe
File created	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\Kontur.Plugin.IE.dll	kontur.plugin.admin.exe
File opened for modification	C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\install.log	kontur.plugin.admin.exe
File opened for modification	\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\rtpkcs11ecp.dll	kontur.plugin.admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Version	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Programmable	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\AppID = "{9d27a264-61e7-47b1-8151-0daf58c51c1b}"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Programmable\	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\TypeLib\ = "{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\VersionIndependentProgID\ = "KonturPlugin"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2b40f69d-5af6-4cde-b314-7f20cc69b825}\TypeLib\Version = "4.ca"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\KonturPlugin	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\KonturPlugin\CLSID	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\ProgID\ = "KonturPlugin.4.2.2.488"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KonturPlugin.4.2.2.488\CLSID\ = "{0c1a6da8-7879-4897-9baa-507e19ae63da}"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\0\win32\ = "C:\\Program Files (x86)\\SkbKontur\\Plugin\\4.2.2.488\\Kontur.Plugin.IE.dll"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KonturPlugin\CLSID\ = "{0c1a6da8-7879-4897-9baa-507e19ae63da}"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\InprocServer32\ = "C:\\Program Files (x86)\\SkbKontur\\Plugin\\4.2.2.488\\Kontur.Plugin.IE.dll"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\KonturPlugin\CurVer	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4E49317FE0E31764ABE5249754630AC8\E750852A9CCC9674E8A9D87C7C41251A	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\TypeLib	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\InprocServer32\ = "C:\\Program Files (x86)\\SkbKontur\\Plugin\\4.2.2.488\\Kontur.Plugin.IE.dll"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\E750852A9CCC9674E8A9D87C7C41251A	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2b40f69d-5af6-4cde-b314-7f20cc69b825}\ = "IToolbox"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{9d27a264-61e7-47b1-8151-0daf58c51c1b}	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\HELPDIR	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\KonturPlugin\CLSID	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Version\ = "4.202"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2b40f69d-5af6-4cde-b314-7f20cc69b825}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\FLAGS\ = "0"	kontur.plugin.admin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E750852A9CCC9674E8A9D87C7C41251A\Assignment = "1"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\ProgID\ = "KonturPlugin.4.2.2.488"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\HELPDIR\ = "C:\\Program Files (x86)\\SkbKontur\\Plugin\\4.2.2.488"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KonturPlugin.4.2.2.488\ = "KonturPlugin Class"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Version	kontur.plugin.admin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E750852A9CCC9674E8A9D87C7C41251A\Version = "67240936"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\Kontur.Plugin.IE.dll	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\0\win32\ = "C:\\Program Files (x86)\\SkbKontur\\Plugin\\4.2.2.488\\Kontur.Plugin.IE.dll"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9d27a264-61e7-47b1-8151-0daf58c51c1b}\ = "Kontur.Plugin"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\0	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\0\win32	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\E750852A9CCC9674E8A9D87C7C41251A	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\0\win32	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{9d27a264-61e7-47b1-8151-0daf58c51c1b}	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2b40f69d-5af6-4cde-b314-7f20cc69b825}\ProxyStubClsid32	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KonturPlugin\CLSID\ = "{0c1a6da8-7879-4897-9baa-507e19ae63da}"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\KonturPlugin.4.2.2.488\CLSID	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\VersionIndependentProgID	kontur.plugin.admin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E750852A9CCC9674E8A9D87C7C41251A\Version = "67240936"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Programmable\	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Kontur.Plugin.IE.dll\AppID = "{9d27a264-61e7-47b1-8151-0daf58c51c1b}"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\KonturPlugin.4.2.2.488\CLSID	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2b40f69d-5af6-4cde-b314-7f20cc69b825}\TypeLib\ = "{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2b40f69d-5af6-4cde-b314-7f20cc69b825}\TypeLib\Version = "4.ca"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\KonturPlugin.4.2.2.488	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\ = "Kontur.Plugin Type Library"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0c1a6da8-7879-4897-9baa-507e19ae63da}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\HELPDIR\ = "C:\\Program Files (x86)\\SkbKontur\\Plugin\\4.2.2.488"	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9d27a264-61e7-47b1-8151-0daf58c51c1b}\ = "Kontur.Plugin"	kontur.plugin.admin.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2b40f69d-5af6-4cde-b314-7f20cc69b825}	kontur.plugin.admin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ea8a61a6-ba19-4378-b6d9-c9d2f32282c8}\4.ca\ = "Kontur.Plugin Type Library"	kontur.plugin.admin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	kontur.plugin.admin.exe
Token: SeDebugPrivilege	1380	kontur.plugin.admin.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1380	kontur.plugin.admin.exe
3088	pkcs11check.exe
804	pkcs11check.exe
1920	pkcs11check.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 4700	1888	kontur.plugin.admin.exe	73
PID 1888 wrote to memory of 4700	1888	kontur.plugin.admin.exe	73
PID 1888 wrote to memory of 4700	1888	kontur.plugin.admin.exe	73
PID 1888 wrote to memory of 316	1888	kontur.plugin.admin.exe	75
PID 1888 wrote to memory of 316	1888	kontur.plugin.admin.exe	75
PID 1888 wrote to memory of 316	1888	kontur.plugin.admin.exe	75
PID 1888 wrote to memory of 4468	1888	kontur.plugin.admin.exe	77
PID 1888 wrote to memory of 4468	1888	kontur.plugin.admin.exe	77
PID 1888 wrote to memory of 4468	1888	kontur.plugin.admin.exe	77
PID 1380 wrote to memory of 3088	1380	kontur.plugin.admin.exe	84
PID 1380 wrote to memory of 3088	1380	kontur.plugin.admin.exe	84
PID 1380 wrote to memory of 3088	1380	kontur.plugin.admin.exe	84
PID 1380 wrote to memory of 804	1380	kontur.plugin.admin.exe	86
PID 1380 wrote to memory of 804	1380	kontur.plugin.admin.exe	86
PID 1380 wrote to memory of 804	1380	kontur.plugin.admin.exe	86
PID 1380 wrote to memory of 1920	1380	kontur.plugin.admin.exe	88
PID 1380 wrote to memory of 1920	1380	kontur.plugin.admin.exe	88
PID 1380 wrote to memory of 1920	1380	kontur.plugin.admin.exe	88

C:\Users\Admin\AppData\Local\Temp\kontur.plugin.admin.exe
"C:\Users\Admin\AppData\Local\Temp\kontur.plugin.admin.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe
  "C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe" rtpkcs11ecp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4700
- C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe
  "C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe" rtpkcs11
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe
  "C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe" jcpkcs11-2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\kontur.plugin.admin.exe
"C:\Users\Admin\AppData\Local\Temp\kontur.plugin.admin.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe
  "C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe" rtpkcs11ecp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3088
- C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe
  "C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe" rtpkcs11
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:804
- C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe
  "C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe" jcpkcs11-2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1920

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\install.log

Filesize
65KB

MD5
0d4ce9343fdebef302f78ad68d5c9a3c

SHA1
7c1f22c5f567758e774911c67840e86505c3c4dd

SHA256
c12e9cc4460e4cf4d90acdbbb7d4058f5e49d20fd761f69eff1207934f48959b

SHA512
b494bff30af9091484e044c00cbf7068d51564270fbb6b1e93e502be72571aac8ffe230439c8a3cf3409c11a79a917a15b08a1bb47c6ddc9740c85a0c0f916a6

Download Submit
C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\jcpkcs11-2.dll

Filesize
6.0MB

MD5
e77a72222025f9a3ccce7c65436e6ec9

SHA1
8ac155e7aba406ef464226ef61fce65c774931c7

SHA256
660b0953d754c155ce470bc33055453b6dfd38c1d1506febd5c99473f450c6b5

SHA512
9c5d2980c36a3eeaca9db9d544cb15fd55ccf41ad5727b4d7221d3ec212f26a876d323cb6209e5c7655c979b8059697238801ece90af78d128717e884f1a9ea0

Download Submit
C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11\plugin.rtpkcs11ecp.dll

Filesize
3.5MB

MD5
76d847d101923262da16d801b7ac9c43

SHA1
3609fc55e1e6fef0a3e9bf0c02839acf52263333

SHA256
f5a21a52bc28cfe5d88a57b499a71f8dc5373ba33ccb13047d82e2a9ed9e049f

SHA512
b325c62715ba6cce737dd678e1c623f1b495d3125fd666db82ccbd4c11f68b519dd2cd1565431c8aa103fb63eeaf789fc48689e76127a918bda9916139d01df7

Download Submit
C:\Program Files (x86)\SkbKontur\Plugin\4.2.2.488\pkcs11check.exe

Filesize
409KB

MD5
e78f646913451e1b379e596f85a12862

SHA1
d75de5837dc71c605cd57497b34c9083867ae101

SHA256
9741ad9d52cf32c5390607569768b88591ed27dbb635f579ba381aa2533f921e

SHA512
05732c6aa67aeea242822f4c7ac3cfaeae92c8bc40f095c7cff339cc469cc84ffa32797ca8578576f45274fe47cdf62ac71bece97e0e3eb7a2f19ee78a9c56c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\addons\kontur.plugin.service.control.exe

Filesize
540KB

MD5
30161b954f1e5c72de4029922cf2656b

SHA1
b379e8152c8d3d83b779f674e1016943deb2ded9

SHA256
9b985d0589b63558d637a63292954bb3794dc0fb4d68dafc5a3c7367b4b9e7e7

SHA512
cade35b5837fd70f87d3eaea281551fb335eccc3fc902054fb0211f545a5cdfaddaf1ce2a0d852cc8dc4bcaec2470194d77f105dce142573a2afa03ab5bb0262

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\icon.ico

Filesize
14KB

MD5
6cbaec4411cc81008e688d0ed3ab3162

SHA1
24489a6f80bcf7d6814ef65e2600bff7b7960532

SHA256
24c81d883f825129b745f7ff1a8a528213338a19b47eeb0d566217c3a72efb7f

SHA512
1320e5d5da69bfdddd5747a2c737005c4a5b4073c3d4d22459129816de2faf81f8c116017e05247b540d4228c9ec5f52ee2d3d09b9c94645a87a3b6e2bce0422

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.firefox.dll

Filesize
946KB

MD5
6ca55477bf7df7015ac8c4bea73f1232

SHA1
def4844952d9125a30cb7108dd1f1dc43996d8e1

SHA256
2d5090552f8fd3b21b3b3c8ff81790fe1ca34faa3be41c04262dee5a147bc37b

SHA512
3174932263bc24ec211df018a39657cdb1790e353c36c2fd99786011c1de9f0a386ff054484875148b944648e4b553fce77a7ddad095cceea4d8366e45ce846e

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.host.exe

Filesize
3.6MB

MD5
e18f14dac04fbfeeb9e95acb97bf78e7

SHA1
28c3f538ff76395b746e5b69573c424ba9b944ac

SHA256
7b5a77d48b28afe5383d7348f03d92a1d94b832fec4e16a678ab80e885fd13f1

SHA512
9e06f126b0e6bb86b2b5109dd298bdf7a2a3fff0586904a2e7141a78ffb8f128dee3e093ea014bda9d430bbcb1de8f711be338ffcaa5ef4ff7e7122bc37d6344

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\kontur.plugin.ie.dll

Filesize
1.9MB

MD5
41e92a8cef201d9ecf0cad68083d4e34

SHA1
c3afa17ece06556a6108bc7d0a255e9ea45d961d

SHA256
41bec39b3ec60086021af818b43c02b80d05691931fcbd68a74da7fdf1b29755

SHA512
78a01839fd713b3052a3d5e894c7cf29e7faa1601ff97bd0f9e9e431be35e1571ba8c0ea675c527a390316428b480d87c889ab6d202902cb5392f819c51c042f

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jckt2.dll

Filesize
261KB

MD5
a16afa13e12d4cb0120209841ddd9642

SHA1
414fce714615e543068b018fcc2b9f8d3e9ac58b

SHA256
09e02f7aa589be0c9e5e168edf9218006bdf9bc0f727d383ed932d045ebe925e

SHA512
4e5ee0fdeb5dfe93fccc1f6cbaf5ede1fddaf9b3e21c68b434d8aeb533f3aafc25eff0dd966a39cf802a4e732ef28ffc0df7a3f01892bf4e3e02459c0727471e

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jckt2.txt

Filesize
213B

MD5
96f9eef8ae8d43223b52cd85a6e34095

SHA1
5986ab8dc9f2396b530e9f6a5c1b6de95ff36350

SHA256
30665abde24d0b84e2593e21211cb36e62f3c1d1423d55a5f6f6423e23334a9a

SHA512
4565f0ad3e00f66ee3c55a0dfdd030f0c13c721a63426343eccbb7f85d7e28744b973d7ac10fc66e29b8784bc9f9a00e1e8297601c25b786ec45b3f52c2ceceb

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcverify.exe

Filesize
248KB

MD5
3cee879c4ad0f98a5a213bddd02af759

SHA1
b317ea89c6801048f50ea7f5a1a5aad88ea70b98

SHA256
2949a829f155ea6b4847da2113695ba5bcfdf0a3b86ef71194045017a66c66cf

SHA512
029da6ac922f41e5a3d440cdf47a31c4fc9ca09287bfa4e75d680f8c6bbaa4d564741221449f2dc8f8fa07987f5e04a76e12919d6fc602cf85c25a4cf256eee4

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\pkcs11\jcverify.txt

Filesize
216B

MD5
060d0b39033ad26579a5a6613f3f1e12

SHA1
28eb1524ed22baeebdd3cd5c434913c32b37099a

SHA256
7281ae686a97a185f9c48c34ae7a73fdea4524af3713d1f5d832af4473d790ca

SHA512
7d5e2ab0aceb9018f0302f273195acb73c9fb786e4fa3b3f7a74ee20576374b139c03714b4a6108d3ecac113c9470c8b12d00064a7d06f7ea1b472971762d7dc

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\4.2.2.488\uninstaller.exe

Filesize
145KB

MD5
f9560e8bd7fd622ff220066a7d3f2de4

SHA1
8882f7ab3b709c7ce456952091b4ea84fb335e05

SHA256
f862af5a222f81bc44066a00733b325c02aeff3252edfd9468a5d9a783e5aaba

SHA512
d1a7260038afcb8c26ca366a34156e06a1261645b1f47c7b95d8f283f60e5df05ad3120fc62f6f55ffcdfdab5497af55cad8c1dd968b9d969b634dd1c41ac888

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\ff_manifest.json

Filesize
226B

MD5
2b1ab7b2d1506b623e56a614e90a8c2c

SHA1
eca1f67f05ad6e20c5d19c3ce3c061a9935ca202

SHA256
75a2eaf4e88326d5604ab1fcd7abc2cd7f6c0f63b4fc3c7fe96b5e08cbfc8421

SHA512
15d10e9f8230577ab702d7d74c9332d963c9040cf7c65799c758591a04a0080a31cacaaaabb47a627689ae04d2e675906cb42184c503e83a0abfc2de74c0a3aa

Download Submit
\??\c:\program files (x86)\skbkontur\plugin\manifest.json

Filesize
513B

MD5
1496b6e33ed4cb12c4d8fcc84e268a7b

SHA1
8e21c86964e90734cd6305b7814690b233b877dd

SHA256
2eb8a41a4b74954faa81b225926c1adfcccfbbc7f94d3af5ffdf4643655e0926

SHA512
f6b321b2c336a575be3ffbc39722b1c9acf6b46344ae40fc156932276adc7df04dc2293bfbac2512589e633aeb74fa8478e39db43399ac37265116b94ef5690e

Download Submit
\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\LockedList.dll

Filesize
104KB

MD5
c9a339036bdc5205a4c1bb532c61c81f

SHA1
3964eee8d38cd4778626034a68d7acd3007ff47d

SHA256
2c78f2ac46946cbe807ce66d6297d3ec355a9ccbed8a8f858d044456f73b7a2e

SHA512
537622f8b0f97b06bea942615b587900ebf7c8d0ae8c59711c7ac1394beb3b36ea135928ebfe15dc8acf6e9d26b7dd81b685c284e185e7200e379e8d66377314

Download Submit
\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsc66CA.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit