593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Size

323KB
MD5

6f6dabe0ac5d705ded06b13d938ab3ec
SHA1

75ecc8f20c9dc3299a6178ba6003c180e05a75b1
SHA256

593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0
SHA512

bc05e82933984c6e520e7bc1a4eb274e9ba0ec36c3a1c02b1c180270b8e0319ad7e574156835d5292fb3e169ebe2099f57001d3f49e44e76722da36bf472a2bc
SSDEEP

6144:lBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:lBxe9dx8Yz6nhtL9C53TV5n+4av

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	K0L4B0R451.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 10 IoCs

pid	Process
1568	winlogon.exe
992	winlogon.exe
1212	Kantuk.exe
1892	4K51K4.exe
1676	Kantuk.exe
1940	4K51K4.exe
2008	K0L4B0R451.exe
2000	K0L4B0R451.exe
1580	GoldenGhost.exe
1560	GoldenGhost.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

Loads dropped DLL 20 IoCs

pid	Process
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
1568	winlogon.exe
1568	winlogon.exe
1568	winlogon.exe
1568	winlogon.exe
1568	winlogon.exe
1568	winlogon.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
1568	winlogon.exe
1568	winlogon.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
1568	winlogon.exe
1568	winlogon.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Kantuk.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Kantuk.exe
File opened (read-only)	\??\U:	Kantuk.exe
File opened (read-only)	\??\L:	K0L4B0R451.exe
File opened (read-only)	\??\N:	K0L4B0R451.exe
File opened (read-only)	\??\O:	K0L4B0R451.exe
File opened (read-only)	\??\P:	K0L4B0R451.exe
File opened (read-only)	\??\Q:	K0L4B0R451.exe
File opened (read-only)	\??\V:	Kantuk.exe
File opened (read-only)	\??\E:	Kantuk.exe
File opened (read-only)	\??\F:	Kantuk.exe
File opened (read-only)	\??\G:	Kantuk.exe
File opened (read-only)	\??\W:	Kantuk.exe
File opened (read-only)	\??\G:	K0L4B0R451.exe
File opened (read-only)	\??\R:	K0L4B0R451.exe
File opened (read-only)	\??\I:	Kantuk.exe
File opened (read-only)	\??\M:	Kantuk.exe
File opened (read-only)	\??\O:	Kantuk.exe
File opened (read-only)	\??\T:	K0L4B0R451.exe
File opened (read-only)	\??\Y:	K0L4B0R451.exe
File opened (read-only)	\??\R:	Kantuk.exe
File opened (read-only)	\??\B:	K0L4B0R451.exe
File opened (read-only)	\??\E:	K0L4B0R451.exe
File opened (read-only)	\??\H:	K0L4B0R451.exe
File opened (read-only)	\??\I:	K0L4B0R451.exe
File opened (read-only)	\??\J:	K0L4B0R451.exe
File opened (read-only)	\??\K:	K0L4B0R451.exe
File opened (read-only)	\??\F:	K0L4B0R451.exe
File opened (read-only)	\??\B:	Kantuk.exe
File opened (read-only)	\??\K:	Kantuk.exe
File opened (read-only)	\??\L:	Kantuk.exe
File opened (read-only)	\??\P:	Kantuk.exe
File opened (read-only)	\??\S:	Kantuk.exe
File opened (read-only)	\??\T:	Kantuk.exe
File opened (read-only)	\??\Z:	Kantuk.exe
File opened (read-only)	\??\Z:	K0L4B0R451.exe
File opened (read-only)	\??\J:	Kantuk.exe
File opened (read-only)	\??\Y:	Kantuk.exe
File opened (read-only)	\??\M:	K0L4B0R451.exe
File opened (read-only)	\??\V:	K0L4B0R451.exe
File opened (read-only)	\??\W:	K0L4B0R451.exe
File opened (read-only)	\??\H:	Kantuk.exe
File opened (read-only)	\??\Q:	Kantuk.exe
File opened (read-only)	\??\X:	Kantuk.exe
File opened (read-only)	\??\S:	K0L4B0R451.exe
File opened (read-only)	\??\U:	K0L4B0R451.exe
File opened (read-only)	\??\X:	K0L4B0R451.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Kantuk.exe
File opened for modification	C:\autorun.inf	Kantuk.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\Folder.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Kantuk.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\Shell32.com	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Word.ico	winlogon.exe
File created	C:\Windows\SysWOW64\GoldenGhost.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	winlogon.exe
File created	C:\Windows\SysWOW64\Rar.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Player.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\Rar.ico	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Asli.ico	winlogon.exe
File created	C:\Windows\SysWOW64\K0L4B0R451.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\Folder.ico	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\Asli.ico	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Player.ico	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\4K51K4.exe	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File created	C:\Windows\SysWOW64\Word.ico	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	winlogon.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\K0L4B0R451.jpg	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\WallpaperStyle = "0"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s1159 = "K0L4B0R451"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s1159 = "K0L4B0R451"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s2359 = "K0L4B0R451"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s2359 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s2359 = "K0L4B0R451"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s2359 = "K0L4B0R451"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s1159 = "K0L4B0R451"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s1159 = "K0L4B0R451"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s1159 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s2359 = "K0L4B0R451"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s1159 = "K0L4B0R451"	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\s2359 = "K0L4B0R451"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\TileWallpaper = "0"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	4K51K4.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1892	4K51K4.exe
1580	GoldenGhost.exe
1212	Kantuk.exe
2008	K0L4B0R451.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
1568	winlogon.exe
992	winlogon.exe
1212	Kantuk.exe
1892	4K51K4.exe
1676	Kantuk.exe
2008	K0L4B0R451.exe
1940	4K51K4.exe
2000	K0L4B0R451.exe
1580	GoldenGhost.exe
1560	GoldenGhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1568	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	27
PID 960 wrote to memory of 1568	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	27
PID 960 wrote to memory of 1568	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	27
PID 960 wrote to memory of 1568	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	27
PID 1568 wrote to memory of 992	1568	winlogon.exe	28
PID 1568 wrote to memory of 992	1568	winlogon.exe	28
PID 1568 wrote to memory of 992	1568	winlogon.exe	28
PID 1568 wrote to memory of 992	1568	winlogon.exe	28
PID 1568 wrote to memory of 1212	1568	winlogon.exe	29
PID 1568 wrote to memory of 1212	1568	winlogon.exe	29
PID 1568 wrote to memory of 1212	1568	winlogon.exe	29
PID 1568 wrote to memory of 1212	1568	winlogon.exe	29
PID 1568 wrote to memory of 1892	1568	winlogon.exe	30
PID 1568 wrote to memory of 1892	1568	winlogon.exe	30
PID 1568 wrote to memory of 1892	1568	winlogon.exe	30
PID 1568 wrote to memory of 1892	1568	winlogon.exe	30
PID 960 wrote to memory of 1676	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	31
PID 960 wrote to memory of 1676	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	31
PID 960 wrote to memory of 1676	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	31
PID 960 wrote to memory of 1676	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	31
PID 1568 wrote to memory of 2008	1568	winlogon.exe	32
PID 1568 wrote to memory of 2008	1568	winlogon.exe	32
PID 1568 wrote to memory of 2008	1568	winlogon.exe	32
PID 1568 wrote to memory of 2008	1568	winlogon.exe	32
PID 960 wrote to memory of 1940	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	33
PID 960 wrote to memory of 1940	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	33
PID 960 wrote to memory of 1940	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	33
PID 960 wrote to memory of 1940	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	33
PID 960 wrote to memory of 2000	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	34
PID 960 wrote to memory of 2000	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	34
PID 960 wrote to memory of 2000	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	34
PID 960 wrote to memory of 2000	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	34
PID 1568 wrote to memory of 1580	1568	winlogon.exe	35
PID 1568 wrote to memory of 1580	1568	winlogon.exe	35
PID 1568 wrote to memory of 1580	1568	winlogon.exe	35
PID 1568 wrote to memory of 1580	1568	winlogon.exe	35
PID 960 wrote to memory of 1560	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	36
PID 960 wrote to memory of 1560	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	36
PID 960 wrote to memory of 1560	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	36
PID 960 wrote to memory of 1560	960	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe	36

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe

C:\Users\Admin\AppData\Local\Temp\593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
"C:\Users\Admin\AppData\Local\Temp\593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:960
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1568
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:992
- - C:\Windows\SysWOW64\Kantuk.exe
    C:\Windows\system32\Kantuk.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1212
- - C:\Windows\SysWOW64\4K51K4.exe
    C:\Windows\system32\4K51K4.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1892
- - C:\Windows\SysWOW64\K0L4B0R451.exe
    C:\Windows\system32\K0L4B0R451.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2008
- - C:\Windows\SysWOW64\GoldenGhost.exe
    C:\Windows\system32\GoldenGhost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1580
- C:\Windows\SysWOW64\Kantuk.exe
  C:\Windows\system32\Kantuk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1676
- C:\Windows\SysWOW64\4K51K4.exe
  C:\Windows\system32\4K51K4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Windows\SysWOW64\K0L4B0R451.exe
  C:\Windows\system32\K0L4B0R451.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2000
- C:\Windows\SysWOW64\GoldenGhost.exe
  C:\Windows\system32\GoldenGhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Aut0exec.bat

Filesize
323KB

MD5
753ee19695ec41faaf3efd1dae613599

SHA1
7d2721a3972cc76938b09add6bff678f5d508ae9

SHA256
d8e45d8f5ffde77db9d4b65f09e7d533e0352af99a930f9a929f2aa050ae71cd

SHA512
c78a6088f56c0ecccbb96c62c22f409cd0443fa4b57e35d4b2e8f470196295d392a27ccaeec1dcae8b700c79702e966dbd0a490e3df2503fe0aae4472a2c2a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr

Filesize
323KB

MD5
8afedacba44aa48b7972ac096940b711

SHA1
827e06807a5576e661d69b9b2e99e6e5053379fa

SHA256
252fae5db7d5de238c1511d06ebad7550ce300bb5ef8de6098b45c6a43ec13e7

SHA512
159012b6ec3238ce32dad691cba543ba355d89daa682d5e5235872d17e59f73de6fca2deb3a5279e71e24500dcb89976a45ff975370441b49f0f44544214bc99

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
323KB

MD5
42b0fa468a09969847c4b76a6588e857

SHA1
a5181911240b7d3993714b1a1803479b25c12259

SHA256
050fe17bffe6b9c2902940bbf5609314b42b40733aff9b7ee539ad3b82203266

SHA512
c57e8589c1fd7932f141477e7f4d2da9f0a511473b0e31162edfb52258d58c4acb8ef306f698d069090737b4424f53179de0b6b4a33049a5777ef2c8db60d673

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
0bcdc027324ff53062d9a0314e41f483

SHA1
2267133b3940ab326a9605440e89a89487610dfd

SHA256
5b8e67a7677df31e4723fc96f8c1cead89d1e31b6e62ba91b59ae4e3cde0d06d

SHA512
6b1bc7c56de445d8219595204133e006bc8c18f3dd2aa624d444ba0d2aac5066cf1b3dad66e43f615888b538cb7f07535ba9e5b6717e272b84cf8e51b7516ddf

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
0bcdc027324ff53062d9a0314e41f483

SHA1
2267133b3940ab326a9605440e89a89487610dfd

SHA256
5b8e67a7677df31e4723fc96f8c1cead89d1e31b6e62ba91b59ae4e3cde0d06d

SHA512
6b1bc7c56de445d8219595204133e006bc8c18f3dd2aa624d444ba0d2aac5066cf1b3dad66e43f615888b538cb7f07535ba9e5b6717e272b84cf8e51b7516ddf

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
84ead9dd3326c9febe29bfc380165575

SHA1
fc00ff443463b7c8d334d692fdd0c84c42d9adef

SHA256
a4943c6c03c023972354bf215044f5678d269901cd8f2e11af167ef1bf92f6e5

SHA512
b63114fdf5c4579272314929ce7f000fbb051126781f8ea64c5d8a38e7a006f0585b0ae4fa6a4b08eec62259559867b92afa4365c2edb1188d9fb376a5891cd7

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
0bcdc027324ff53062d9a0314e41f483

SHA1
2267133b3940ab326a9605440e89a89487610dfd

SHA256
5b8e67a7677df31e4723fc96f8c1cead89d1e31b6e62ba91b59ae4e3cde0d06d

SHA512
6b1bc7c56de445d8219595204133e006bc8c18f3dd2aa624d444ba0d2aac5066cf1b3dad66e43f615888b538cb7f07535ba9e5b6717e272b84cf8e51b7516ddf

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
f448169b1864f472a5a28731a76627a9

SHA1
32e075f9f75b3644e16f563f2d9f9fa6e7bfe34d

SHA256
c727bf2f2b92f263c0f58ba914dfb074f577e6e746114069b8683921f6317e9b

SHA512
bdbeab9affae1c2add564d5481169db82511e278b435be4d8b6583fe0180496577d7e6dea2aec9de087b9d050052023638fc4eb5b270246febbd496d83d4d586

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
f448169b1864f472a5a28731a76627a9

SHA1
32e075f9f75b3644e16f563f2d9f9fa6e7bfe34d

SHA256
c727bf2f2b92f263c0f58ba914dfb074f577e6e746114069b8683921f6317e9b

SHA512
bdbeab9affae1c2add564d5481169db82511e278b435be4d8b6583fe0180496577d7e6dea2aec9de087b9d050052023638fc4eb5b270246febbd496d83d4d586

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
f448169b1864f472a5a28731a76627a9

SHA1
32e075f9f75b3644e16f563f2d9f9fa6e7bfe34d

SHA256
c727bf2f2b92f263c0f58ba914dfb074f577e6e746114069b8683921f6317e9b

SHA512
bdbeab9affae1c2add564d5481169db82511e278b435be4d8b6583fe0180496577d7e6dea2aec9de087b9d050052023638fc4eb5b270246febbd496d83d4d586

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
c75b2265f4d5ca1f9d57d20e0673f9a2

SHA1
73789191cc09de41371fda8d90e347af96e55585

SHA256
0e3778c84d15ca8464c7c67f07e29c892430822e2ae1e465100dcf071373f20e

SHA512
8e06b2c038dc662eff8e9957d417126e58a6fd266fb2ee1e34311abe141728e8f3eadd28e984940c0ec0256762e5e87cf51a15d3a877e5e30705884b50ba4f62

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
ad814d9325db0cf3c49ac5de0a829553

SHA1
0f9a8defec268e29a3cf49a371ced92e38635178

SHA256
c51a721c2b3825105453d40ca2c0d88a3e81b5d6e2c52d2be4d41ed9f60eb4a7

SHA512
f35ddd813643efe16ff6550401d9930fe0f578cb3f550e56edc893b0072968886a2899c4fadff5ce302a9bec139bda1cf169904e5ca78f93e7708cad3657dba7

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
ad814d9325db0cf3c49ac5de0a829553

SHA1
0f9a8defec268e29a3cf49a371ced92e38635178

SHA256
c51a721c2b3825105453d40ca2c0d88a3e81b5d6e2c52d2be4d41ed9f60eb4a7

SHA512
f35ddd813643efe16ff6550401d9930fe0f578cb3f550e56edc893b0072968886a2899c4fadff5ce302a9bec139bda1cf169904e5ca78f93e7708cad3657dba7

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
0f1b4b53c8902439ac5fe607bb5526fa

SHA1
bf16d4bf5027734068642f477235b894ac5176d8

SHA256
b79c299b57abfb71ecca5a0d41181e388587b7a339274b32f67c916b9fbdee35

SHA512
8da10c39b25247fea0fff253d6c18c277ea706431a727a7e5b6acc2732b6969e99aefef93de5972ac6bc3512a8542fbbb719e8606293acea5fcf54ba635c6002

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
ad814d9325db0cf3c49ac5de0a829553

SHA1
0f9a8defec268e29a3cf49a371ced92e38635178

SHA256
c51a721c2b3825105453d40ca2c0d88a3e81b5d6e2c52d2be4d41ed9f60eb4a7

SHA512
f35ddd813643efe16ff6550401d9930fe0f578cb3f550e56edc893b0072968886a2899c4fadff5ce302a9bec139bda1cf169904e5ca78f93e7708cad3657dba7

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
162ef98cb6c321b88872d6b071fb49c9

SHA1
38505a1e850835abe363a64dd4f670db6db3bfdb

SHA256
7d5d8d46a29d9c7295213998de9bbeb8b130c7afc792a27d24706184180bb7fe

SHA512
0a0a5cb1666b6b10b62bcc341ce6359a0b852a907dd16c2e48b0d503f4ed85d1014b52b987830c82f47ce3c250da7de152814a6d2d5564f3e936d55e6274c633

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
ff81cb44dc72dc4fff542da3724d98d1

SHA1
c80a5155a2cdc66b7458463bce49050a7e0a041f

SHA256
da389ae8e8411557da8debb746fd95384f86b9b0c1b66ff67a34043164e4429a

SHA512
1040f55547d25756d4337911205e838f1d300dafb8971154a54cede1498925dbee96a44efa9efb5056a899430630abd3a26d7bffbe1d32319aa9e9312da57d0f

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
162ef98cb6c321b88872d6b071fb49c9

SHA1
38505a1e850835abe363a64dd4f670db6db3bfdb

SHA256
7d5d8d46a29d9c7295213998de9bbeb8b130c7afc792a27d24706184180bb7fe

SHA512
0a0a5cb1666b6b10b62bcc341ce6359a0b852a907dd16c2e48b0d503f4ed85d1014b52b987830c82f47ce3c250da7de152814a6d2d5564f3e936d55e6274c633

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
162ef98cb6c321b88872d6b071fb49c9

SHA1
38505a1e850835abe363a64dd4f670db6db3bfdb

SHA256
7d5d8d46a29d9c7295213998de9bbeb8b130c7afc792a27d24706184180bb7fe

SHA512
0a0a5cb1666b6b10b62bcc341ce6359a0b852a907dd16c2e48b0d503f4ed85d1014b52b987830c82f47ce3c250da7de152814a6d2d5564f3e936d55e6274c633

Download Submit
C:\Windows\SysWOW64\Shell32.com

Filesize
323KB

MD5
14802ca413b28211dfd7850a6213696c

SHA1
1cf1e9e23d45b03b7053f1b93f1567b093389642

SHA256
6e5f4cc1aef83a425240654fbff1278dafc16408672cfcee8aa9c400bc23c010

SHA512
36d2fc5aee3b8e9e92120e6a63719282c91e4443000a126167a180238e41fd407a85e155f1459a1394f53ccc1913e376fa1f8e5732d7381a3252d9a71bb18f60

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
0c3d5f1ddc310f02f0bb792e04ea1f65

SHA1
7dda06beae54acb9f5f063457e03b3eaced84ce6

SHA256
03d4ff875cfbcba141ef6199efa1046620c24ec2da4a9114b04cb17e7483ef7f

SHA512
f0e5315884dd34801324d72d8d8de40d535a0d5a35b552e643815efad05670316550a46b7b0f6ef67a27d51e2adfb8c78b549a80ab961f76294311647272bf09

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
0c3d5f1ddc310f02f0bb792e04ea1f65

SHA1
7dda06beae54acb9f5f063457e03b3eaced84ce6

SHA256
03d4ff875cfbcba141ef6199efa1046620c24ec2da4a9114b04cb17e7483ef7f

SHA512
f0e5315884dd34801324d72d8d8de40d535a0d5a35b552e643815efad05670316550a46b7b0f6ef67a27d51e2adfb8c78b549a80ab961f76294311647272bf09

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
0c3d5f1ddc310f02f0bb792e04ea1f65

SHA1
7dda06beae54acb9f5f063457e03b3eaced84ce6

SHA256
03d4ff875cfbcba141ef6199efa1046620c24ec2da4a9114b04cb17e7483ef7f

SHA512
f0e5315884dd34801324d72d8d8de40d535a0d5a35b552e643815efad05670316550a46b7b0f6ef67a27d51e2adfb8c78b549a80ab961f76294311647272bf09

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
0bcdc027324ff53062d9a0314e41f483

SHA1
2267133b3940ab326a9605440e89a89487610dfd

SHA256
5b8e67a7677df31e4723fc96f8c1cead89d1e31b6e62ba91b59ae4e3cde0d06d

SHA512
6b1bc7c56de445d8219595204133e006bc8c18f3dd2aa624d444ba0d2aac5066cf1b3dad66e43f615888b538cb7f07535ba9e5b6717e272b84cf8e51b7516ddf

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
0bcdc027324ff53062d9a0314e41f483

SHA1
2267133b3940ab326a9605440e89a89487610dfd

SHA256
5b8e67a7677df31e4723fc96f8c1cead89d1e31b6e62ba91b59ae4e3cde0d06d

SHA512
6b1bc7c56de445d8219595204133e006bc8c18f3dd2aa624d444ba0d2aac5066cf1b3dad66e43f615888b538cb7f07535ba9e5b6717e272b84cf8e51b7516ddf

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
0bcdc027324ff53062d9a0314e41f483

SHA1
2267133b3940ab326a9605440e89a89487610dfd

SHA256
5b8e67a7677df31e4723fc96f8c1cead89d1e31b6e62ba91b59ae4e3cde0d06d

SHA512
6b1bc7c56de445d8219595204133e006bc8c18f3dd2aa624d444ba0d2aac5066cf1b3dad66e43f615888b538cb7f07535ba9e5b6717e272b84cf8e51b7516ddf

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
0bcdc027324ff53062d9a0314e41f483

SHA1
2267133b3940ab326a9605440e89a89487610dfd

SHA256
5b8e67a7677df31e4723fc96f8c1cead89d1e31b6e62ba91b59ae4e3cde0d06d

SHA512
6b1bc7c56de445d8219595204133e006bc8c18f3dd2aa624d444ba0d2aac5066cf1b3dad66e43f615888b538cb7f07535ba9e5b6717e272b84cf8e51b7516ddf

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
f448169b1864f472a5a28731a76627a9

SHA1
32e075f9f75b3644e16f563f2d9f9fa6e7bfe34d

SHA256
c727bf2f2b92f263c0f58ba914dfb074f577e6e746114069b8683921f6317e9b

SHA512
bdbeab9affae1c2add564d5481169db82511e278b435be4d8b6583fe0180496577d7e6dea2aec9de087b9d050052023638fc4eb5b270246febbd496d83d4d586

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
f448169b1864f472a5a28731a76627a9

SHA1
32e075f9f75b3644e16f563f2d9f9fa6e7bfe34d

SHA256
c727bf2f2b92f263c0f58ba914dfb074f577e6e746114069b8683921f6317e9b

SHA512
bdbeab9affae1c2add564d5481169db82511e278b435be4d8b6583fe0180496577d7e6dea2aec9de087b9d050052023638fc4eb5b270246febbd496d83d4d586

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
f448169b1864f472a5a28731a76627a9

SHA1
32e075f9f75b3644e16f563f2d9f9fa6e7bfe34d

SHA256
c727bf2f2b92f263c0f58ba914dfb074f577e6e746114069b8683921f6317e9b

SHA512
bdbeab9affae1c2add564d5481169db82511e278b435be4d8b6583fe0180496577d7e6dea2aec9de087b9d050052023638fc4eb5b270246febbd496d83d4d586

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
f448169b1864f472a5a28731a76627a9

SHA1
32e075f9f75b3644e16f563f2d9f9fa6e7bfe34d

SHA256
c727bf2f2b92f263c0f58ba914dfb074f577e6e746114069b8683921f6317e9b

SHA512
bdbeab9affae1c2add564d5481169db82511e278b435be4d8b6583fe0180496577d7e6dea2aec9de087b9d050052023638fc4eb5b270246febbd496d83d4d586

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
ad814d9325db0cf3c49ac5de0a829553

SHA1
0f9a8defec268e29a3cf49a371ced92e38635178

SHA256
c51a721c2b3825105453d40ca2c0d88a3e81b5d6e2c52d2be4d41ed9f60eb4a7

SHA512
f35ddd813643efe16ff6550401d9930fe0f578cb3f550e56edc893b0072968886a2899c4fadff5ce302a9bec139bda1cf169904e5ca78f93e7708cad3657dba7

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
ad814d9325db0cf3c49ac5de0a829553

SHA1
0f9a8defec268e29a3cf49a371ced92e38635178

SHA256
c51a721c2b3825105453d40ca2c0d88a3e81b5d6e2c52d2be4d41ed9f60eb4a7

SHA512
f35ddd813643efe16ff6550401d9930fe0f578cb3f550e56edc893b0072968886a2899c4fadff5ce302a9bec139bda1cf169904e5ca78f93e7708cad3657dba7

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
ad814d9325db0cf3c49ac5de0a829553

SHA1
0f9a8defec268e29a3cf49a371ced92e38635178

SHA256
c51a721c2b3825105453d40ca2c0d88a3e81b5d6e2c52d2be4d41ed9f60eb4a7

SHA512
f35ddd813643efe16ff6550401d9930fe0f578cb3f550e56edc893b0072968886a2899c4fadff5ce302a9bec139bda1cf169904e5ca78f93e7708cad3657dba7

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
ad814d9325db0cf3c49ac5de0a829553

SHA1
0f9a8defec268e29a3cf49a371ced92e38635178

SHA256
c51a721c2b3825105453d40ca2c0d88a3e81b5d6e2c52d2be4d41ed9f60eb4a7

SHA512
f35ddd813643efe16ff6550401d9930fe0f578cb3f550e56edc893b0072968886a2899c4fadff5ce302a9bec139bda1cf169904e5ca78f93e7708cad3657dba7

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
162ef98cb6c321b88872d6b071fb49c9

SHA1
38505a1e850835abe363a64dd4f670db6db3bfdb

SHA256
7d5d8d46a29d9c7295213998de9bbeb8b130c7afc792a27d24706184180bb7fe

SHA512
0a0a5cb1666b6b10b62bcc341ce6359a0b852a907dd16c2e48b0d503f4ed85d1014b52b987830c82f47ce3c250da7de152814a6d2d5564f3e936d55e6274c633

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
162ef98cb6c321b88872d6b071fb49c9

SHA1
38505a1e850835abe363a64dd4f670db6db3bfdb

SHA256
7d5d8d46a29d9c7295213998de9bbeb8b130c7afc792a27d24706184180bb7fe

SHA512
0a0a5cb1666b6b10b62bcc341ce6359a0b852a907dd16c2e48b0d503f4ed85d1014b52b987830c82f47ce3c250da7de152814a6d2d5564f3e936d55e6274c633

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
162ef98cb6c321b88872d6b071fb49c9

SHA1
38505a1e850835abe363a64dd4f670db6db3bfdb

SHA256
7d5d8d46a29d9c7295213998de9bbeb8b130c7afc792a27d24706184180bb7fe

SHA512
0a0a5cb1666b6b10b62bcc341ce6359a0b852a907dd16c2e48b0d503f4ed85d1014b52b987830c82f47ce3c250da7de152814a6d2d5564f3e936d55e6274c633

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
162ef98cb6c321b88872d6b071fb49c9

SHA1
38505a1e850835abe363a64dd4f670db6db3bfdb

SHA256
7d5d8d46a29d9c7295213998de9bbeb8b130c7afc792a27d24706184180bb7fe

SHA512
0a0a5cb1666b6b10b62bcc341ce6359a0b852a907dd16c2e48b0d503f4ed85d1014b52b987830c82f47ce3c250da7de152814a6d2d5564f3e936d55e6274c633

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
0c3d5f1ddc310f02f0bb792e04ea1f65

SHA1
7dda06beae54acb9f5f063457e03b3eaced84ce6

SHA256
03d4ff875cfbcba141ef6199efa1046620c24ec2da4a9114b04cb17e7483ef7f

SHA512
f0e5315884dd34801324d72d8d8de40d535a0d5a35b552e643815efad05670316550a46b7b0f6ef67a27d51e2adfb8c78b549a80ab961f76294311647272bf09

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
0c3d5f1ddc310f02f0bb792e04ea1f65

SHA1
7dda06beae54acb9f5f063457e03b3eaced84ce6

SHA256
03d4ff875cfbcba141ef6199efa1046620c24ec2da4a9114b04cb17e7483ef7f

SHA512
f0e5315884dd34801324d72d8d8de40d535a0d5a35b552e643815efad05670316550a46b7b0f6ef67a27d51e2adfb8c78b549a80ab961f76294311647272bf09

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
0c3d5f1ddc310f02f0bb792e04ea1f65

SHA1
7dda06beae54acb9f5f063457e03b3eaced84ce6

SHA256
03d4ff875cfbcba141ef6199efa1046620c24ec2da4a9114b04cb17e7483ef7f

SHA512
f0e5315884dd34801324d72d8d8de40d535a0d5a35b552e643815efad05670316550a46b7b0f6ef67a27d51e2adfb8c78b549a80ab961f76294311647272bf09

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
0c3d5f1ddc310f02f0bb792e04ea1f65

SHA1
7dda06beae54acb9f5f063457e03b3eaced84ce6

SHA256
03d4ff875cfbcba141ef6199efa1046620c24ec2da4a9114b04cb17e7483ef7f

SHA512
f0e5315884dd34801324d72d8d8de40d535a0d5a35b552e643815efad05670316550a46b7b0f6ef67a27d51e2adfb8c78b549a80ab961f76294311647272bf09

Download Submit
memory/960-57-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/960-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1212-86-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1568-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1580-135-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1892-93-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2008-114-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads