Analysis Overview
SHA256
4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd
Threat Level: Likely malicious
The file 4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: LoadsDriver
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 16:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 16:54
Reported
2024-11-11 16:57
Platform
win7-20240903-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\KuaiZipDrive.sys | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\KuaiZipDrive.sys | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.053\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.089 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\HardLinkShlExt\ = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.095\ = "KuaiZip.095" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.044\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.065\ = "KuaiZip.065" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.PropertyExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.098\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wim\ = "KuaiZip.wim" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.z\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.002\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.044\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.097\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.KzShlobj\ = "KzShlobj Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.023\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.037 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.067\shell | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.ContextMenuExt.1\CLSID\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.nrg | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.mdf\shell\open\command | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.020 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.7z | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.008\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.081\ = "快压 081 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.wim | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.002 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.021\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.090\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.061 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.037\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.043\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.047\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.056\ = "KuaiZip.056" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.KzShlobj.1\ = "KzShlobj Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.cab\ = "快压 CAB 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.cab\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.075\ = "KuaiZip.075" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.098\ = "快压 098 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.bz2\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.024\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.053\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.070\DefaultIcon | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.021 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.039\DefaultIcon | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.070\ = "KuaiZip.070" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.097\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.081\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.013\ = "快压 013 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.032 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.071 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.081\DefaultIcon | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.002\ = "KuaiZip.002" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.089\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.gz\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.009\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.016\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.zip\shellex | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.093\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.mou\shell | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.027\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.035\ = "快压 035 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.093\ = "KuaiZip.093" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe
"C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc
C:\Program Files\¿ìѹ\X64\KZMount2.exe
"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -InstallDriver
C:\Program Files\¿ìѹ\X64\KZMount2.exe
"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -AssocAll
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"
C:\Program Files\¿ìѹ\X86\KuaiZip.exe
"C:\Program Files\¿ìѹ\X86\KuaiZip.exe" -AssociateAll
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s
C:\Windows\system32\regsvr32.exe
"C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s
C:\Program Files\¿ìѹ\X86\KZReport.exe
"C:\Program Files\¿ìѹ\X86\KZReport.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i.kpzip.com | udp |
| CN | 14.205.47.252:80 | i.kpzip.com | tcp |
| CN | 122.190.64.38:80 | i.kpzip.com | tcp |
| CN | 112.84.131.63:80 | i.kpzip.com | tcp |
| CN | 110.249.196.56:80 | i.kpzip.com | tcp |
| CN | 113.201.158.118:80 | i.kpzip.com | tcp |
| CN | 60.220.179.199:80 | i.kpzip.com | tcp |
| CN | 116.162.169.61:80 | i.kpzip.com | tcp |
Files
C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll
| MD5 | 57dcb435d455facabcbb943df4439211 |
| SHA1 | 6cbf59c6a0dd83427104d1d2b02308e23f3bac71 |
| SHA256 | c115c445731dfc9ac86e03fc46385149abd6da6fdb086092bc711d77c579cd86 |
| SHA512 | b0334b37dce72f24ab825e376fbec1702476b86978898fe8b1c70d0280781d0353b565b9e2a479bc28a452038a5d49a93cf11b1e81a23870bcfea95ad327782b |
\Program Files\¿ìѹ\X86\KuaiZip.exe
| MD5 | 23209cd2c9fb9b1b506cf04732a2fdc9 |
| SHA1 | dcf81ccb7b0ba1ff26bc19ab57b7d1d776acc064 |
| SHA256 | ccf82a791c6a32ab05622b29fc4fe27199a76b6e923e5f9e0ea14e1dcedf3b61 |
| SHA512 | be8f302345259e8ea81d4d02d1e73d6c6127fd574ca604d425a04b63bc8c6be22e7e492f118c43dc791c440b3ec153161dba0117ceaeed2de67618ede9a0eaae |
\Program Files\¿ìѹ\X64\KZMount2.exe
| MD5 | 6092e931993ce98e90bd9a8ba5e0f81d |
| SHA1 | 9f6e2cfee88a965ac9c621244ae4e743179926bb |
| SHA256 | 0a4005988099b5958842aa8b064f8ea63a62d6b3ce8cf474df810b229768d2aa |
| SHA512 | a317e1afc8c9144481ef2322019a798c32d3aaa54521c3084816cc2fbe6283b7b1f9c2d53ddd66247499e0ad9efbc6d424f4561a45c5462e656356ae040d2876 |
\Program Files\¿ìѹ\X64\lang\Chs_Lang.dll
| MD5 | f4b0f5f11f6c45f9f35683daaf1dc154 |
| SHA1 | 66a5a9f11eb488687abd9098bf972b5f140b79ad |
| SHA256 | d9f93356f1459fa4352529a3984ddacd774bd44ca54e2c7261b4fed569f21037 |
| SHA512 | 6cfb3c8f496b4798c26edb1806f8f82b661e9163c33f7c87578b4f951fc8d3575f15c9e97dbbe2b4e8b53f32213d9f1e20667f6eb97869cc985deee0ff2f318f |
C:\Program Files\¿ìѹ\X64\Mount.dll
| MD5 | bb749bff8225c1f4fe637ee9b9900605 |
| SHA1 | 9f0259bb8532188bc58d3e0443e8dbcddb0d11f3 |
| SHA256 | f8a5b80bd4df9b8476ad22c8fff874e986582a1045e166e8cee05cb4f5b80416 |
| SHA512 | 74d53797952032bbe4d75b0bd43b3129031306a8060789f44ed2f6100430f82653e4b99fe9ee783c85bf7d8682e4825d1d45da1cb204cb1add49ed7bd9a5a835 |
C:\Program Files\¿ìѹ\X64\KuaiZipDrive.sys
| MD5 | 1876e8b3f3a1a8ebb1cb6adce66aa56d |
| SHA1 | 34fce38d3ea4551dceecf2784efcaf8baaadd412 |
| SHA256 | 94384ff5849f6350df1a249260f82c6c8061362588fc1057ee498d72b0a709e1 |
| SHA512 | 80544ccac70bf2eb67e4cae4914449c464c78a0326885fd975e473375655443f3d7e5d6a905286d9b8ddb5d8f35ca14fec96a196be9eae5e3a443c53db3dbe57 |
C:\Program Files\¿ìѹ\X86\DuiLib.dll
| MD5 | a4dfb3886fd564277b972e0eb6a85d37 |
| SHA1 | 65e7065e87630aec7a51dfef744d9a0ff05a475d |
| SHA256 | b1d2065329687cf7162ca1c303f6418c97b8a9e8914b6c388d834b2318c609be |
| SHA512 | 4d81770561bbb95dcba4207bc5f1c94acd7f3defb6d82bf427eff08b7aa4360fd28f754015672c8e34cda81bfbd375b9ed9a4707e3276b9b9664eb17ddcafa4b |
C:\Program Files\¿ìѹ\X86\Lang\Chs_Lang.dll
| MD5 | b97edec9d770cffe2d1ae4c133aeff17 |
| SHA1 | 2005bf84b016041c66b39d8b4a6a1713388b3e78 |
| SHA256 | f076084d2aca4e6f37b80b950b89eee71339e9d0e7d4a2bea638e58f81dcd34d |
| SHA512 | d88c65135fd8f60f8fda581a0c3b1f6eeec50d360793c0ccfe20be9d5d048da88947836bb603a87cadcc0f8b4969b5566285c999471c0e68ee8a047919bd2c8a |
C:\Program Files\¿ìѹ\X64\KZipShell.dll
| MD5 | be4b24bd17c88ef4e5a95461c8c96c41 |
| SHA1 | 3003617159914a14cec3c7b78fee70c26094025e |
| SHA256 | 014790e04d73ac79bdcb5d4d33bb9d687fee4bba33584d524d649b4142f8e4bf |
| SHA512 | c83505bc47563122ef02cc81d07e4e3ef5ac6648a9cdb9907b296378ec21f6c35f438f0269cd92df55150d37169cdd5615f849d30db1bdc41bee8a84f1567b60 |
\Program Files\¿ìѹ\X86\KZReport.exe
| MD5 | c615fdd832f80a8ff0cff8e3253a6fe9 |
| SHA1 | ca09e99d21e2392e9559a01564c54d0e6f0cfd1b |
| SHA256 | f23c1cfc0e701d0e5c8f2a869b9ab65423e10db7072a0ece5998ae63726f0c35 |
| SHA512 | 43c82ae37094fdf2d78352fd66890f25730270602b4821e46ac6b44db653fb2b88ea189a4b7922faccd32f536a14726b1db3308316c76d4c9d5e47414acdb6f5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 16:54
Reported
2024-11-11 16:57
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
152s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\KuaiZipDrive.sys | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\KuaiZipDrive.sys | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KuaizipUpdateChecker\Parameters\ServiceDll = "C:\\Program Files\\¿ìѹ\\X86\\kuaizipUpdateChecker.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.003\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.096 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\InprocServer32\ = "C:\\Program Files\\¿ìѹ\\X64\\KZipShell.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.019 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wim\ = "KuaiZip.wim" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.083 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.ape\DefaultIcon | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "KuaiZip.tbz" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QZipShell.DLL\AppID = "{9CC34070-3A38-4C7A-89CB-EF8177EF07A1}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.013\shell | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.064\DefaultIcon | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.jar\ = "快压 JAR 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.068\DefaultIcon | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.029 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.035\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.mds\shell\open | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.cab\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.010\ = "KuaiZip.010" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.02\shell | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.027\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.isz | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.bin\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X64\\KZMount2.exe -NewDriver \"%1\"" | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.arj\ | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.034\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.019\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.068\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.071\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.DragDropMenu\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.PropertyExt\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\HardLinkShlExt | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.096\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount.vcd\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X64\\KZMount2.exe,0" | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.05\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.066\ = "快压 066 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.052 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.ContextMenuExt\ = "ContextMenuExt Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\TypeLib\ = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.014\DefaultIcon\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe,0" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.062\ = "快压 062 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.085\shell | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZipMount_FileAsso.Origin\.mdf\ = "NoAssociate.KuaiZipMount" | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.013\ = "KuaiZip.013" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.096 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gzip\ = "KuaiZip.gzip" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.006\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.060\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.084\ = "快压 084 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.024\ = "KuaiZip.024" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "KuaiZipMount.bin" | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.ContextMenuExt.1\ = "ContextMenuExt Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ContextMenuExt\ = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.DragDropMenu.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.nrg | C:\Program Files\¿ìѹ\X64\KZMount2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.rpm\ = "快压 RPM 压缩文件 " | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.053 | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QZipShell.DragDropMenu.1\CLSID\ = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.09\shell\open | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.021\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.093\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip_FileAsso.Origin\.068\ = "NoAssociate.KZ" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.lzh\shell\open\command | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.042\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.075\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KuaiZip.057\shell\open\command\ = "C:\\Program Files\\¿ìѹ\\X86\\KuaiZip.exe \"%1\"" | C:\Program Files\¿ìѹ\X86\KuaiZip.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\¿ìѹ\X86\KZReport.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe
"C:\Users\Admin\AppData\Local\Temp\4e9aae4c2f3197b2f96b7e180120c74c1e599520f8b72ef1e256c8e08b7df1bd.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kuaizipupdatesvc
C:\Program Files\¿ìѹ\X64\KZMount2.exe
"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -InstallDriver
C:\Program Files\¿ìѹ\X64\KZMount2.exe
"C:\Program Files\¿ìѹ\X64\KZMount2.exe" -AssocAll
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll"
C:\Program Files\¿ìѹ\X86\KuaiZip.exe
"C:\Program Files\¿ìѹ\X86\KuaiZip.exe" -AssociateAll
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s
C:\Windows\system32\regsvr32.exe
"C:\Program Files\¿ìѹ\X64\KZipShell.dll" -s
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn KuaiZip_Update /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn KuaiZip_Update /tr "C:\PROGRA~1\F85A~1\X86\Update.exe" /sc hourly
C:\Program Files\¿ìѹ\X86\KZReport.exe
"C:\Program Files\¿ìѹ\X86\KZReport.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.kpzip.com | udp |
| CN | 122.190.64.38:80 | i.kpzip.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| CN | 116.136.12.227:80 | i.kpzip.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| CN | 60.220.179.199:80 | i.kpzip.com | tcp |
| CN | 116.162.169.61:80 | i.kpzip.com | tcp |
| CN | 60.28.220.184:80 | i.kpzip.com | tcp |
| CN | 42.236.89.8:80 | i.kpzip.com | tcp |
| CN | 119.167.229.190:80 | i.kpzip.com | tcp |
Files
C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll
| MD5 | 57dcb435d455facabcbb943df4439211 |
| SHA1 | 6cbf59c6a0dd83427104d1d2b02308e23f3bac71 |
| SHA256 | c115c445731dfc9ac86e03fc46385149abd6da6fdb086092bc711d77c579cd86 |
| SHA512 | b0334b37dce72f24ab825e376fbec1702476b86978898fe8b1c70d0280781d0353b565b9e2a479bc28a452038a5d49a93cf11b1e81a23870bcfea95ad327782b |
C:\Program Files\¿ìѹ\X86\KuaiZip.exe
| MD5 | 23209cd2c9fb9b1b506cf04732a2fdc9 |
| SHA1 | dcf81ccb7b0ba1ff26bc19ab57b7d1d776acc064 |
| SHA256 | ccf82a791c6a32ab05622b29fc4fe27199a76b6e923e5f9e0ea14e1dcedf3b61 |
| SHA512 | be8f302345259e8ea81d4d02d1e73d6c6127fd574ca604d425a04b63bc8c6be22e7e492f118c43dc791c440b3ec153161dba0117ceaeed2de67618ede9a0eaae |
C:\Program Files\¿ìѹ\X64\KZMount2.exe
| MD5 | 6092e931993ce98e90bd9a8ba5e0f81d |
| SHA1 | 9f6e2cfee88a965ac9c621244ae4e743179926bb |
| SHA256 | 0a4005988099b5958842aa8b064f8ea63a62d6b3ce8cf474df810b229768d2aa |
| SHA512 | a317e1afc8c9144481ef2322019a798c32d3aaa54521c3084816cc2fbe6283b7b1f9c2d53ddd66247499e0ad9efbc6d424f4561a45c5462e656356ae040d2876 |
C:\Program Files\¿ìѹ\X64\Lang\Chs_Lang.dll
| MD5 | f4b0f5f11f6c45f9f35683daaf1dc154 |
| SHA1 | 66a5a9f11eb488687abd9098bf972b5f140b79ad |
| SHA256 | d9f93356f1459fa4352529a3984ddacd774bd44ca54e2c7261b4fed569f21037 |
| SHA512 | 6cfb3c8f496b4798c26edb1806f8f82b661e9163c33f7c87578b4f951fc8d3575f15c9e97dbbe2b4e8b53f32213d9f1e20667f6eb97869cc985deee0ff2f318f |
C:\Program Files\¿ìѹ\X64\Mount.dll
| MD5 | bb749bff8225c1f4fe637ee9b9900605 |
| SHA1 | 9f0259bb8532188bc58d3e0443e8dbcddb0d11f3 |
| SHA256 | f8a5b80bd4df9b8476ad22c8fff874e986582a1045e166e8cee05cb4f5b80416 |
| SHA512 | 74d53797952032bbe4d75b0bd43b3129031306a8060789f44ed2f6100430f82653e4b99fe9ee783c85bf7d8682e4825d1d45da1cb204cb1add49ed7bd9a5a835 |
C:\Program Files\¿ìѹ\X64\KuaiZipDrive.sys
| MD5 | 1876e8b3f3a1a8ebb1cb6adce66aa56d |
| SHA1 | 34fce38d3ea4551dceecf2784efcaf8baaadd412 |
| SHA256 | 94384ff5849f6350df1a249260f82c6c8061362588fc1057ee498d72b0a709e1 |
| SHA512 | 80544ccac70bf2eb67e4cae4914449c464c78a0326885fd975e473375655443f3d7e5d6a905286d9b8ddb5d8f35ca14fec96a196be9eae5e3a443c53db3dbe57 |
C:\Program Files\¿ìѹ\X86\DuiLib.dll
| MD5 | a4dfb3886fd564277b972e0eb6a85d37 |
| SHA1 | 65e7065e87630aec7a51dfef744d9a0ff05a475d |
| SHA256 | b1d2065329687cf7162ca1c303f6418c97b8a9e8914b6c388d834b2318c609be |
| SHA512 | 4d81770561bbb95dcba4207bc5f1c94acd7f3defb6d82bf427eff08b7aa4360fd28f754015672c8e34cda81bfbd375b9ed9a4707e3276b9b9664eb17ddcafa4b |
C:\Program Files\¿ìѹ\X64\KZipShell.dll
| MD5 | be4b24bd17c88ef4e5a95461c8c96c41 |
| SHA1 | 3003617159914a14cec3c7b78fee70c26094025e |
| SHA256 | 014790e04d73ac79bdcb5d4d33bb9d687fee4bba33584d524d649b4142f8e4bf |
| SHA512 | c83505bc47563122ef02cc81d07e4e3ef5ac6648a9cdb9907b296378ec21f6c35f438f0269cd92df55150d37169cdd5615f849d30db1bdc41bee8a84f1567b60 |
C:\Program Files\¿ìѹ\X86\lang\Chs_Lang.dll
| MD5 | b97edec9d770cffe2d1ae4c133aeff17 |
| SHA1 | 2005bf84b016041c66b39d8b4a6a1713388b3e78 |
| SHA256 | f076084d2aca4e6f37b80b950b89eee71339e9d0e7d4a2bea638e58f81dcd34d |
| SHA512 | d88c65135fd8f60f8fda581a0c3b1f6eeec50d360793c0ccfe20be9d5d048da88947836bb603a87cadcc0f8b4969b5566285c999471c0e68ee8a047919bd2c8a |
C:\Program Files\¿ìѹ\X86\KZReport.exe
| MD5 | c615fdd832f80a8ff0cff8e3253a6fe9 |
| SHA1 | ca09e99d21e2392e9559a01564c54d0e6f0cfd1b |
| SHA256 | f23c1cfc0e701d0e5c8f2a869b9ab65423e10db7072a0ece5998ae63726f0c35 |
| SHA512 | 43c82ae37094fdf2d78352fd66890f25730270602b4821e46ac6b44db653fb2b88ea189a4b7922faccd32f536a14726b1db3308316c76d4c9d5e47414acdb6f5 |