6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Size

323KB
MD5

a1bb74424a908d9146d2e6ea73085794
SHA1

82cb2648c5b82f627d28dfa252bc522fb83b078b
SHA256

6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11
SHA512

7ee4fa1a902e0afe2863098c0acf196e8d01907646aeeb5c903ce9f6ee9d99345e400cfaef42094bd846650d23a11e17e5c106901e8d6dea8bbeb48de1dbc275
SSDEEP

6144:aBxeN/Tdx8YzL+4eBDgelLBLZx53TV5n+yNXavM:aBxe9dx8Yz6nhtLZx53TV5n+4av

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	GoldenGhost.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Kantuk.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 10 IoCs

pid	Process
1096	winlogon.exe
1124	winlogon.exe
1760	Kantuk.exe
1780	4K51K4.exe
1276	K0L4B0R451.exe
1040	GoldenGhost.exe
1840	Kantuk.exe
1376	4K51K4.exe
1952	K0L4B0R451.exe
1396	GoldenGhost.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	winlogon.exe

Loads dropped DLL 20 IoCs

pid	Process
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1096	winlogon.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Kantuk.exe
File opened (read-only)	\??\O:	Kantuk.exe
File opened (read-only)	\??\Q:	Kantuk.exe
File opened (read-only)	\??\S:	Kantuk.exe
File opened (read-only)	\??\U:	Kantuk.exe
File opened (read-only)	\??\B:	K0L4B0R451.exe
File opened (read-only)	\??\S:	K0L4B0R451.exe
File opened (read-only)	\??\F:	Kantuk.exe
File opened (read-only)	\??\X:	Kantuk.exe
File opened (read-only)	\??\Q:	K0L4B0R451.exe
File opened (read-only)	\??\W:	K0L4B0R451.exe
File opened (read-only)	\??\E:	Kantuk.exe
File opened (read-only)	\??\W:	Kantuk.exe
File opened (read-only)	\??\M:	K0L4B0R451.exe
File opened (read-only)	\??\Y:	K0L4B0R451.exe
File opened (read-only)	\??\K:	Kantuk.exe
File opened (read-only)	\??\L:	Kantuk.exe
File opened (read-only)	\??\R:	Kantuk.exe
File opened (read-only)	\??\V:	Kantuk.exe
File opened (read-only)	\??\T:	K0L4B0R451.exe
File opened (read-only)	\??\V:	K0L4B0R451.exe
File opened (read-only)	\??\N:	Kantuk.exe
File opened (read-only)	\??\T:	Kantuk.exe
File opened (read-only)	\??\Z:	Kantuk.exe
File opened (read-only)	\??\E:	K0L4B0R451.exe
File opened (read-only)	\??\G:	K0L4B0R451.exe
File opened (read-only)	\??\K:	K0L4B0R451.exe
File opened (read-only)	\??\H:	Kantuk.exe
File opened (read-only)	\??\I:	Kantuk.exe
File opened (read-only)	\??\M:	Kantuk.exe
File opened (read-only)	\??\P:	Kantuk.exe
File opened (read-only)	\??\N:	K0L4B0R451.exe
File opened (read-only)	\??\P:	K0L4B0R451.exe
File opened (read-only)	\??\Y:	Kantuk.exe
File opened (read-only)	\??\I:	K0L4B0R451.exe
File opened (read-only)	\??\R:	K0L4B0R451.exe
File opened (read-only)	\??\B:	Kantuk.exe
File opened (read-only)	\??\J:	Kantuk.exe
File opened (read-only)	\??\F:	K0L4B0R451.exe
File opened (read-only)	\??\H:	K0L4B0R451.exe
File opened (read-only)	\??\J:	K0L4B0R451.exe
File opened (read-only)	\??\L:	K0L4B0R451.exe
File opened (read-only)	\??\O:	K0L4B0R451.exe
File opened (read-only)	\??\U:	K0L4B0R451.exe
File opened (read-only)	\??\X:	K0L4B0R451.exe
File opened (read-only)	\??\Z:	K0L4B0R451.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Kantuk.exe
File opened for modification	C:\autorun.inf	Kantuk.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\Player.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\4K51K4.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Word.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Folder.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\Rar.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Asli.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Player.ico	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\Word.ico	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\Folder.ico	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\Shell32.com	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\Rar.ico	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\Asli.ico	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\GoldenGhost.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\K0L4B0R451.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Kantuk.exe	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	winlogon.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\K0L4B0R451.jpg	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\TileWallpaper = "0"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "K0L4B0R451"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "K0L4B0R451"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "K0L4B0R451"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "K0L4B0R451"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "K0L4B0R451"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperStyle = "0"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "K0L4B0R451"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "K0L4B0R451"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "K0L4B0R451"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "K0L4B0R451"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "K0L4B0R451"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "K0L4B0R451"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	Kantuk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1780	4K51K4.exe
1040	GoldenGhost.exe
1760	Kantuk.exe
1276	K0L4B0R451.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
1096	winlogon.exe
1124	winlogon.exe
1760	Kantuk.exe
1780	4K51K4.exe
1276	K0L4B0R451.exe
1040	GoldenGhost.exe
1840	Kantuk.exe
1376	4K51K4.exe
1952	K0L4B0R451.exe
1396	GoldenGhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1096	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	26
PID 1976 wrote to memory of 1096	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	26
PID 1976 wrote to memory of 1096	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	26
PID 1976 wrote to memory of 1096	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	26
PID 1096 wrote to memory of 1124	1096	winlogon.exe	27
PID 1096 wrote to memory of 1124	1096	winlogon.exe	27
PID 1096 wrote to memory of 1124	1096	winlogon.exe	27
PID 1096 wrote to memory of 1124	1096	winlogon.exe	27
PID 1096 wrote to memory of 1760	1096	winlogon.exe	28
PID 1096 wrote to memory of 1760	1096	winlogon.exe	28
PID 1096 wrote to memory of 1760	1096	winlogon.exe	28
PID 1096 wrote to memory of 1760	1096	winlogon.exe	28
PID 1096 wrote to memory of 1780	1096	winlogon.exe	29
PID 1096 wrote to memory of 1780	1096	winlogon.exe	29
PID 1096 wrote to memory of 1780	1096	winlogon.exe	29
PID 1096 wrote to memory of 1780	1096	winlogon.exe	29
PID 1096 wrote to memory of 1276	1096	winlogon.exe	30
PID 1096 wrote to memory of 1276	1096	winlogon.exe	30
PID 1096 wrote to memory of 1276	1096	winlogon.exe	30
PID 1096 wrote to memory of 1276	1096	winlogon.exe	30
PID 1096 wrote to memory of 1040	1096	winlogon.exe	31
PID 1096 wrote to memory of 1040	1096	winlogon.exe	31
PID 1096 wrote to memory of 1040	1096	winlogon.exe	31
PID 1096 wrote to memory of 1040	1096	winlogon.exe	31
PID 1976 wrote to memory of 1840	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	32
PID 1976 wrote to memory of 1840	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	32
PID 1976 wrote to memory of 1840	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	32
PID 1976 wrote to memory of 1840	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	32
PID 1976 wrote to memory of 1376	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	33
PID 1976 wrote to memory of 1376	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	33
PID 1976 wrote to memory of 1376	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	33
PID 1976 wrote to memory of 1376	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	33
PID 1976 wrote to memory of 1952	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	34
PID 1976 wrote to memory of 1952	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	34
PID 1976 wrote to memory of 1952	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	34
PID 1976 wrote to memory of 1952	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	34
PID 1976 wrote to memory of 1396	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	35
PID 1976 wrote to memory of 1396	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	35
PID 1976 wrote to memory of 1396	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	35
PID 1976 wrote to memory of 1396	1976	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe	35

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Kantuk.exe

C:\Users\Admin\AppData\Local\Temp\6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
"C:\Users\Admin\AppData\Local\Temp\6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1096
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1124
- - C:\Windows\SysWOW64\Kantuk.exe
    C:\Windows\system32\Kantuk.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1760
- - C:\Windows\SysWOW64\4K51K4.exe
    C:\Windows\system32\4K51K4.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1780
- - C:\Windows\SysWOW64\K0L4B0R451.exe
    C:\Windows\system32\K0L4B0R451.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1276
- - C:\Windows\SysWOW64\GoldenGhost.exe
    C:\Windows\system32\GoldenGhost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1040
- C:\Windows\SysWOW64\Kantuk.exe
  C:\Windows\system32\Kantuk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Windows\SysWOW64\4K51K4.exe
  C:\Windows\system32\4K51K4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Windows\SysWOW64\K0L4B0R451.exe
  C:\Windows\system32\K0L4B0R451.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Windows\SysWOW64\GoldenGhost.exe
  C:\Windows\system32\GoldenGhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Aut0exec.bat

Filesize
323KB

MD5
1eb682a64ac710e9d212f691c8c2f9ca

SHA1
b6fdf4e663c1fe51bcb0bc683ab6f2f2892d3e16

SHA256
204ac027887e2d112610da59e8cf32eaf0aefea2898f4fdad7958676bc68c3a1

SHA512
a50b51539cbcae4499c971768f28bfa88029c23a865717141477147247c47b025052255e4077e32b91b30d9f1a366dab373aceea74ae54b7c14908f38d9c6a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
323KB

MD5
9567bc239c76586a73f4be61c2c2a7b6

SHA1
5b313f5580cd2ac815f6cb7bac1f9cc7a4dd45f6

SHA256
8efb2c84d8aa5520931fa50078092234cbb9e0181dfa7ac4ce326833e4630f2f

SHA512
03d45b3612b3822b9e3a7247beb658ebdd3bca21ef44cc23e1502f3f44ae5522f069a603442f268f8bff390f307c977eb71063151aa99950ab77af6570609b43

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
50b2971269d85154a17393200f0553ea

SHA1
f0930046d2d54c77a5043f6c0b1cfe797222a0c4

SHA256
b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

SHA512
b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
50b2971269d85154a17393200f0553ea

SHA1
f0930046d2d54c77a5043f6c0b1cfe797222a0c4

SHA256
b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

SHA512
b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
50b2971269d85154a17393200f0553ea

SHA1
f0930046d2d54c77a5043f6c0b1cfe797222a0c4

SHA256
b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

SHA512
b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
7436ecb9889078ad100a52f153327c00

SHA1
62c8416258ad876938b2184040fc85a67ce4cc9a

SHA256
b884394c293cbcb59d92c903737306d140d9590d1c55037783c57e3c16ee7543

SHA512
4817f278ec90fb8250b2b1f4a0e10b46fd97db124d654cb8d0a955a050df6d9553fba6b3aa45d74979a59629df9de330e324fc53963b7e3921d69769b44a8854

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
7436ecb9889078ad100a52f153327c00

SHA1
62c8416258ad876938b2184040fc85a67ce4cc9a

SHA256
b884394c293cbcb59d92c903737306d140d9590d1c55037783c57e3c16ee7543

SHA512
4817f278ec90fb8250b2b1f4a0e10b46fd97db124d654cb8d0a955a050df6d9553fba6b3aa45d74979a59629df9de330e324fc53963b7e3921d69769b44a8854

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
7436ecb9889078ad100a52f153327c00

SHA1
62c8416258ad876938b2184040fc85a67ce4cc9a

SHA256
b884394c293cbcb59d92c903737306d140d9590d1c55037783c57e3c16ee7543

SHA512
4817f278ec90fb8250b2b1f4a0e10b46fd97db124d654cb8d0a955a050df6d9553fba6b3aa45d74979a59629df9de330e324fc53963b7e3921d69769b44a8854

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
3f91a698186ccbfa6d2a16bddb0d0fa1

SHA1
d65088fbd55f8d9df9745a9e501735129f710473

SHA256
16921bb2e4143e0c4c7bd2bfb2fc3baf289c784c062b8c77ee8a387df1752f62

SHA512
e4b1c56b2311639835bcba3f1840b18c2a092c3a05523e289db6a470687fe75e9d00d50159788e0b164e89d208de5542f5f29420a833a5f67dfe095bf0878306

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
3f91a698186ccbfa6d2a16bddb0d0fa1

SHA1
d65088fbd55f8d9df9745a9e501735129f710473

SHA256
16921bb2e4143e0c4c7bd2bfb2fc3baf289c784c062b8c77ee8a387df1752f62

SHA512
e4b1c56b2311639835bcba3f1840b18c2a092c3a05523e289db6a470687fe75e9d00d50159788e0b164e89d208de5542f5f29420a833a5f67dfe095bf0878306

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
b1a7b590adeef2d9a3f97ebd38a71417

SHA1
baab094daf351a319ff5502dbf62c08bb8d394d3

SHA256
2d73fa4470b4072a908daf0543a9c543a589e1aac1c3a8ee74a46659030ce2c6

SHA512
b5d0eaee2f583834ccae5ada29cbad32b49d0b6cf5072aa6ab64797c41564f5079d2cef7dc0d6b2d340a2b6308498829be5468198ef59205425b7f81602df03e

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
3f91a698186ccbfa6d2a16bddb0d0fa1

SHA1
d65088fbd55f8d9df9745a9e501735129f710473

SHA256
16921bb2e4143e0c4c7bd2bfb2fc3baf289c784c062b8c77ee8a387df1752f62

SHA512
e4b1c56b2311639835bcba3f1840b18c2a092c3a05523e289db6a470687fe75e9d00d50159788e0b164e89d208de5542f5f29420a833a5f67dfe095bf0878306

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
9987c5b3834e70c94d57a55aa329841f

SHA1
c301edbf7b47cc15d55225f38264b967a2589f94

SHA256
ac223d1d9b88b26d3b18c0cddfd164104c4b366ceccb612c667a76067341841f

SHA512
f470d26313351d2e7881891525eb42a98ab578f703ec61bea558dbe69d76302752af923a14981c2ecddabc1a564099f3f717d34815b7284157f69e002780d123

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
9987c5b3834e70c94d57a55aa329841f

SHA1
c301edbf7b47cc15d55225f38264b967a2589f94

SHA256
ac223d1d9b88b26d3b18c0cddfd164104c4b366ceccb612c667a76067341841f

SHA512
f470d26313351d2e7881891525eb42a98ab578f703ec61bea558dbe69d76302752af923a14981c2ecddabc1a564099f3f717d34815b7284157f69e002780d123

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
9987c5b3834e70c94d57a55aa329841f

SHA1
c301edbf7b47cc15d55225f38264b967a2589f94

SHA256
ac223d1d9b88b26d3b18c0cddfd164104c4b366ceccb612c667a76067341841f

SHA512
f470d26313351d2e7881891525eb42a98ab578f703ec61bea558dbe69d76302752af923a14981c2ecddabc1a564099f3f717d34815b7284157f69e002780d123

Download Submit
C:\Windows\SysWOW64\Shell32.com

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
50b2971269d85154a17393200f0553ea

SHA1
f0930046d2d54c77a5043f6c0b1cfe797222a0c4

SHA256
b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

SHA512
b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
50b2971269d85154a17393200f0553ea

SHA1
f0930046d2d54c77a5043f6c0b1cfe797222a0c4

SHA256
b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

SHA512
b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
50b2971269d85154a17393200f0553ea

SHA1
f0930046d2d54c77a5043f6c0b1cfe797222a0c4

SHA256
b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

SHA512
b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
50b2971269d85154a17393200f0553ea

SHA1
f0930046d2d54c77a5043f6c0b1cfe797222a0c4

SHA256
b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

SHA512
b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
7436ecb9889078ad100a52f153327c00

SHA1
62c8416258ad876938b2184040fc85a67ce4cc9a

SHA256
b884394c293cbcb59d92c903737306d140d9590d1c55037783c57e3c16ee7543

SHA512
4817f278ec90fb8250b2b1f4a0e10b46fd97db124d654cb8d0a955a050df6d9553fba6b3aa45d74979a59629df9de330e324fc53963b7e3921d69769b44a8854

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
7436ecb9889078ad100a52f153327c00

SHA1
62c8416258ad876938b2184040fc85a67ce4cc9a

SHA256
b884394c293cbcb59d92c903737306d140d9590d1c55037783c57e3c16ee7543

SHA512
4817f278ec90fb8250b2b1f4a0e10b46fd97db124d654cb8d0a955a050df6d9553fba6b3aa45d74979a59629df9de330e324fc53963b7e3921d69769b44a8854

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
7436ecb9889078ad100a52f153327c00

SHA1
62c8416258ad876938b2184040fc85a67ce4cc9a

SHA256
b884394c293cbcb59d92c903737306d140d9590d1c55037783c57e3c16ee7543

SHA512
4817f278ec90fb8250b2b1f4a0e10b46fd97db124d654cb8d0a955a050df6d9553fba6b3aa45d74979a59629df9de330e324fc53963b7e3921d69769b44a8854

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
7436ecb9889078ad100a52f153327c00

SHA1
62c8416258ad876938b2184040fc85a67ce4cc9a

SHA256
b884394c293cbcb59d92c903737306d140d9590d1c55037783c57e3c16ee7543

SHA512
4817f278ec90fb8250b2b1f4a0e10b46fd97db124d654cb8d0a955a050df6d9553fba6b3aa45d74979a59629df9de330e324fc53963b7e3921d69769b44a8854

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
3f91a698186ccbfa6d2a16bddb0d0fa1

SHA1
d65088fbd55f8d9df9745a9e501735129f710473

SHA256
16921bb2e4143e0c4c7bd2bfb2fc3baf289c784c062b8c77ee8a387df1752f62

SHA512
e4b1c56b2311639835bcba3f1840b18c2a092c3a05523e289db6a470687fe75e9d00d50159788e0b164e89d208de5542f5f29420a833a5f67dfe095bf0878306

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
3f91a698186ccbfa6d2a16bddb0d0fa1

SHA1
d65088fbd55f8d9df9745a9e501735129f710473

SHA256
16921bb2e4143e0c4c7bd2bfb2fc3baf289c784c062b8c77ee8a387df1752f62

SHA512
e4b1c56b2311639835bcba3f1840b18c2a092c3a05523e289db6a470687fe75e9d00d50159788e0b164e89d208de5542f5f29420a833a5f67dfe095bf0878306

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
3f91a698186ccbfa6d2a16bddb0d0fa1

SHA1
d65088fbd55f8d9df9745a9e501735129f710473

SHA256
16921bb2e4143e0c4c7bd2bfb2fc3baf289c784c062b8c77ee8a387df1752f62

SHA512
e4b1c56b2311639835bcba3f1840b18c2a092c3a05523e289db6a470687fe75e9d00d50159788e0b164e89d208de5542f5f29420a833a5f67dfe095bf0878306

Download Submit
\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
3f91a698186ccbfa6d2a16bddb0d0fa1

SHA1
d65088fbd55f8d9df9745a9e501735129f710473

SHA256
16921bb2e4143e0c4c7bd2bfb2fc3baf289c784c062b8c77ee8a387df1752f62

SHA512
e4b1c56b2311639835bcba3f1840b18c2a092c3a05523e289db6a470687fe75e9d00d50159788e0b164e89d208de5542f5f29420a833a5f67dfe095bf0878306

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
9987c5b3834e70c94d57a55aa329841f

SHA1
c301edbf7b47cc15d55225f38264b967a2589f94

SHA256
ac223d1d9b88b26d3b18c0cddfd164104c4b366ceccb612c667a76067341841f

SHA512
f470d26313351d2e7881891525eb42a98ab578f703ec61bea558dbe69d76302752af923a14981c2ecddabc1a564099f3f717d34815b7284157f69e002780d123

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
9987c5b3834e70c94d57a55aa329841f

SHA1
c301edbf7b47cc15d55225f38264b967a2589f94

SHA256
ac223d1d9b88b26d3b18c0cddfd164104c4b366ceccb612c667a76067341841f

SHA512
f470d26313351d2e7881891525eb42a98ab578f703ec61bea558dbe69d76302752af923a14981c2ecddabc1a564099f3f717d34815b7284157f69e002780d123

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
9987c5b3834e70c94d57a55aa329841f

SHA1
c301edbf7b47cc15d55225f38264b967a2589f94

SHA256
ac223d1d9b88b26d3b18c0cddfd164104c4b366ceccb612c667a76067341841f

SHA512
f470d26313351d2e7881891525eb42a98ab578f703ec61bea558dbe69d76302752af923a14981c2ecddabc1a564099f3f717d34815b7284157f69e002780d123

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
9987c5b3834e70c94d57a55aa329841f

SHA1
c301edbf7b47cc15d55225f38264b967a2589f94

SHA256
ac223d1d9b88b26d3b18c0cddfd164104c4b366ceccb612c667a76067341841f

SHA512
f470d26313351d2e7881891525eb42a98ab578f703ec61bea558dbe69d76302752af923a14981c2ecddabc1a564099f3f717d34815b7284157f69e002780d123

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

Filesize
323KB

MD5
4c3af5916dd70ad60c3cc937f7ff5bce

SHA1
afdc446614507155463e2eda2c34845f8353b881

SHA256
3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

SHA512
8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

Download Submit
memory/1040-108-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1096-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1276-101-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1760-86-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1780-93-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1976-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1976-57-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads