788e90f6c82a39bee2f10e7a24b8673142d61564811d6c182da3b9093f8b7c81

Analysis

max time kernel
27s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bffcb3b265905dcd15503d306cf6faae.exe
Size

323KB
MD5

bffcb3b265905dcd15503d306cf6faae
SHA1

5971fb2aa44163d1ad18a13a00e7836dc1634f82
SHA256

788e90f6c82a39bee2f10e7a24b8673142d61564811d6c182da3b9093f8b7c81
SHA512

cd2db0b5f3c870599ef928f13ce0cc80122bb93c99e1c5a7b05b957b2fb5b0306009de5f254d81721c0fc85800acfa0b07542f9aec2d7dec1b793a2a391f7067
SSDEEP

6144:jBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:jBxe9dx8Yz6nhtL9C53TV5n+4av

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	Kantuk.exe

Executes dropped EXE 10 IoCs

pid	Process
1328	winlogon.exe
936	winlogon.exe
1972	Kantuk.exe
2520	4K51K4.exe
2208	K0L4B0R451.exe
1704	GoldenGhost.exe
1608	Kantuk.exe
2080	4K51K4.exe
2640	K0L4B0R451.exe
2560	GoldenGhost.exe

Loads dropped DLL 20 IoCs

pid	Process
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
1328	winlogon.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe
2404	bffcb3b265905dcd15503d306cf6faae.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4K51K4.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	bffcb3b265905dcd15503d306cf6faae.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	K0L4B0R451.exe
File opened (read-only)	\??\T:	K0L4B0R451.exe
File opened (read-only)	\??\L:	Kantuk.exe
File opened (read-only)	\??\Q:	Kantuk.exe
File opened (read-only)	\??\W:	Kantuk.exe
File opened (read-only)	\??\L:	K0L4B0R451.exe
File opened (read-only)	\??\O:	K0L4B0R451.exe
File opened (read-only)	\??\Q:	K0L4B0R451.exe
File opened (read-only)	\??\Z:	K0L4B0R451.exe
File opened (read-only)	\??\B:	Kantuk.exe
File opened (read-only)	\??\I:	Kantuk.exe
File opened (read-only)	\??\K:	Kantuk.exe
File opened (read-only)	\??\R:	Kantuk.exe
File opened (read-only)	\??\Z:	Kantuk.exe
File opened (read-only)	\??\P:	K0L4B0R451.exe
File opened (read-only)	\??\M:	Kantuk.exe
File opened (read-only)	\??\O:	Kantuk.exe
File opened (read-only)	\??\B:	K0L4B0R451.exe
File opened (read-only)	\??\J:	K0L4B0R451.exe
File opened (read-only)	\??\E:	Kantuk.exe
File opened (read-only)	\??\J:	Kantuk.exe
File opened (read-only)	\??\I:	K0L4B0R451.exe
File opened (read-only)	\??\Y:	K0L4B0R451.exe
File opened (read-only)	\??\N:	Kantuk.exe
File opened (read-only)	\??\X:	Kantuk.exe
File opened (read-only)	\??\G:	K0L4B0R451.exe
File opened (read-only)	\??\G:	Kantuk.exe
File opened (read-only)	\??\P:	Kantuk.exe
File opened (read-only)	\??\S:	Kantuk.exe
File opened (read-only)	\??\U:	Kantuk.exe
File opened (read-only)	\??\H:	K0L4B0R451.exe
File opened (read-only)	\??\X:	K0L4B0R451.exe
File opened (read-only)	\??\K:	K0L4B0R451.exe
File opened (read-only)	\??\V:	K0L4B0R451.exe
File opened (read-only)	\??\N:	K0L4B0R451.exe
File opened (read-only)	\??\S:	K0L4B0R451.exe
File opened (read-only)	\??\H:	Kantuk.exe
File opened (read-only)	\??\T:	Kantuk.exe
File opened (read-only)	\??\V:	Kantuk.exe
File opened (read-only)	\??\Y:	Kantuk.exe
File opened (read-only)	\??\E:	K0L4B0R451.exe
File opened (read-only)	\??\M:	K0L4B0R451.exe
File opened (read-only)	\??\U:	K0L4B0R451.exe
File opened (read-only)	\??\W:	K0L4B0R451.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	Kantuk.exe
File created	C:\autorun.inf	Kantuk.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\Asli.ico	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\Kantuk.exe	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Folder.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Player.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\K0L4B0R451.exe	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\Word.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\Folder.ico	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\Player.ico	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Asli.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Word.ico	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Rar.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\4K51K4.exe	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\Shell32.com	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	bffcb3b265905dcd15503d306cf6faae.exe
File created	C:\Windows\SysWOW64\Rar.ico	bffcb3b265905dcd15503d306cf6faae.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\GoldenGhost.exe	bffcb3b265905dcd15503d306cf6faae.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg"	bffcb3b265905dcd15503d306cf6faae.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\K0L4B0R451.jpg	bffcb3b265905dcd15503d306cf6faae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "K0L4B0R451"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "K0L4B0R451"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "K0L4B0R451"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\TileWallpaper = "0"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "K0L4B0R451"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\WallpaperStyle = "0"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "K0L4B0R451"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "K0L4B0R451"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "K0L4B0R451"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "K0L4B0R451"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "K0L4B0R451"	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "K0L4B0R451"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	K0L4B0R451.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	bffcb3b265905dcd15503d306cf6faae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	K0L4B0R451.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2520	4K51K4.exe
1704	GoldenGhost.exe
1972	Kantuk.exe
2208	K0L4B0R451.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2404	bffcb3b265905dcd15503d306cf6faae.exe
1328	winlogon.exe
936	winlogon.exe
1972	Kantuk.exe
2520	4K51K4.exe
2208	K0L4B0R451.exe
1704	GoldenGhost.exe
1608	Kantuk.exe
2080	4K51K4.exe
2640	K0L4B0R451.exe
2560	GoldenGhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1328	2404	bffcb3b265905dcd15503d306cf6faae.exe	28
PID 2404 wrote to memory of 1328	2404	bffcb3b265905dcd15503d306cf6faae.exe	28
PID 2404 wrote to memory of 1328	2404	bffcb3b265905dcd15503d306cf6faae.exe	28
PID 2404 wrote to memory of 1328	2404	bffcb3b265905dcd15503d306cf6faae.exe	28
PID 1328 wrote to memory of 936	1328	winlogon.exe	29
PID 1328 wrote to memory of 936	1328	winlogon.exe	29
PID 1328 wrote to memory of 936	1328	winlogon.exe	29
PID 1328 wrote to memory of 936	1328	winlogon.exe	29
PID 1328 wrote to memory of 1972	1328	winlogon.exe	30
PID 1328 wrote to memory of 1972	1328	winlogon.exe	30
PID 1328 wrote to memory of 1972	1328	winlogon.exe	30
PID 1328 wrote to memory of 1972	1328	winlogon.exe	30
PID 1328 wrote to memory of 2520	1328	winlogon.exe	31
PID 1328 wrote to memory of 2520	1328	winlogon.exe	31
PID 1328 wrote to memory of 2520	1328	winlogon.exe	31
PID 1328 wrote to memory of 2520	1328	winlogon.exe	31
PID 1328 wrote to memory of 2208	1328	winlogon.exe	32
PID 1328 wrote to memory of 2208	1328	winlogon.exe	32
PID 1328 wrote to memory of 2208	1328	winlogon.exe	32
PID 1328 wrote to memory of 2208	1328	winlogon.exe	32
PID 1328 wrote to memory of 1704	1328	winlogon.exe	33
PID 1328 wrote to memory of 1704	1328	winlogon.exe	33
PID 1328 wrote to memory of 1704	1328	winlogon.exe	33
PID 1328 wrote to memory of 1704	1328	winlogon.exe	33
PID 2404 wrote to memory of 1608	2404	bffcb3b265905dcd15503d306cf6faae.exe	34
PID 2404 wrote to memory of 1608	2404	bffcb3b265905dcd15503d306cf6faae.exe	34
PID 2404 wrote to memory of 1608	2404	bffcb3b265905dcd15503d306cf6faae.exe	34
PID 2404 wrote to memory of 1608	2404	bffcb3b265905dcd15503d306cf6faae.exe	34
PID 2404 wrote to memory of 2080	2404	bffcb3b265905dcd15503d306cf6faae.exe	35
PID 2404 wrote to memory of 2080	2404	bffcb3b265905dcd15503d306cf6faae.exe	35
PID 2404 wrote to memory of 2080	2404	bffcb3b265905dcd15503d306cf6faae.exe	35
PID 2404 wrote to memory of 2080	2404	bffcb3b265905dcd15503d306cf6faae.exe	35
PID 2404 wrote to memory of 2640	2404	bffcb3b265905dcd15503d306cf6faae.exe	36
PID 2404 wrote to memory of 2640	2404	bffcb3b265905dcd15503d306cf6faae.exe	36
PID 2404 wrote to memory of 2640	2404	bffcb3b265905dcd15503d306cf6faae.exe	36
PID 2404 wrote to memory of 2640	2404	bffcb3b265905dcd15503d306cf6faae.exe	36
PID 2404 wrote to memory of 2560	2404	bffcb3b265905dcd15503d306cf6faae.exe	37
PID 2404 wrote to memory of 2560	2404	bffcb3b265905dcd15503d306cf6faae.exe	37
PID 2404 wrote to memory of 2560	2404	bffcb3b265905dcd15503d306cf6faae.exe	37
PID 2404 wrote to memory of 2560	2404	bffcb3b265905dcd15503d306cf6faae.exe	37

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bffcb3b265905dcd15503d306cf6faae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	bffcb3b265905dcd15503d306cf6faae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\bffcb3b265905dcd15503d306cf6faae.exe
"C:\Users\Admin\AppData\Local\Temp\bffcb3b265905dcd15503d306cf6faae.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1328
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:936
- - C:\Windows\SysWOW64\Kantuk.exe
    C:\Windows\system32\Kantuk.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Sets file execution options in registry
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1972
- - C:\Windows\SysWOW64\4K51K4.exe
    C:\Windows\system32\4K51K4.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Sets file execution options in registry
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2520
- - C:\Windows\SysWOW64\K0L4B0R451.exe
    C:\Windows\system32\K0L4B0R451.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Sets file execution options in registry
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2208
- - C:\Windows\SysWOW64\GoldenGhost.exe
    C:\Windows\system32\GoldenGhost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Sets file execution options in registry
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1704
- C:\Windows\SysWOW64\Kantuk.exe
  C:\Windows\system32\Kantuk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1608
- C:\Windows\SysWOW64\4K51K4.exe
  C:\Windows\system32\4K51K4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2080
- C:\Windows\SysWOW64\K0L4B0R451.exe
  C:\Windows\system32\K0L4B0R451.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2640
- C:\Windows\SysWOW64\GoldenGhost.exe
  C:\Windows\system32\GoldenGhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Aut0exec.bat

Filesize
323KB

MD5
6d2f89c4ce4cd43940d040a2d1a591df

SHA1
944f4ba3b3748d04e1537d160942899dc8735c68

SHA256
f9ed7e10b18820df54db59a947a5f0743a7ecc9aabdceb84a045698398631d9f

SHA512
0b2023331665f84f15aa4fec329e2442f737462c7e30a97e0ba0314c9bfcccdf44cdc9b25913679b490c76d5bcabc6bac14fc610a05216d460c12a92665791b3

Download Submit
C:\Aut0exec.bat

Filesize
323KB

MD5
fecc8cb5f436ba2f7c701a2448d4fa79

SHA1
ef7d5a718fcd95a6258793c7f6095285144c018e

SHA256
52a093329a465345ff5c74153168f7da5a481da597e91f2586cc412f99b062d4

SHA512
e5a35df5510eef45df3534e569030aa37728baec2d28b30b204a13fe42f84db9a95fedafd74e4debfb39d73f19b2d0686319d05d937ef8fb512bca05e330aa3b

Download Submit
C:\Aut0exec.bat

Filesize
64KB

MD5
7e72548fe5e8848cadfbe53d649f387c

SHA1
4b6b7b167d0f2c27545e412c7e658c0f90c3c5ac

SHA256
b0593d00eb733f4631eaf5cd86573bcde525d843a14e1337644f85d63814758f

SHA512
143fbf5ff2babb5c83f368ed3de114021c717232b03b4f056dfb40ffc30bc9024c2a3890de64be133024b2a5a8c0c78f794f71c0c7e3a7ca5c869597b3d68ed5

Download Submit
C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
506e54e19f7066be422d5b1884520503

SHA1
f1ae9b5b0169feb74deb88f6aabe7dea42951fef

SHA256
6268fa55eaae91f5a8fb636f18338e772e85381aa13259f65914ad00a2a6b3ee

SHA512
34defc1f764594e05cde28fcf90967cf42d22c2f5e434dd02016c3de41d5c37d252c9ea99d12c3f69ad23eb355964745d3b9a7746c6aee73800e190fbee649f2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif

Filesize
323KB

MD5
aae025e5c850f23b0540a7421dbcc5a5

SHA1
f8cd4202b941020e51b1dd4cc11a3be4c00b5d08

SHA256
e2cddf7d774502376bf4ac10df8593c43a255e63b2e7fa8fcb5556ba31a2307a

SHA512
f09e5098ffb8deb3a705908285ed4684d27884bca91f475527f7cfbac31674072c0b0302b227a7819ce2b6f4cedeed30ee4af6aca6a81ec5841b6a3193311c71

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp

Filesize
323KB

MD5
c06d89868e117b81949d0fcf78be7d04

SHA1
024086da9551325fd6da28bef0508ad7f65ca302

SHA256
6a17417552edba8ceba009fa292ac37998a26f6187d730f8319b211de3f0dcff

SHA512
7385a2ac30b426c7999ff2d7ad385c67af052187b9b96d96b25ab57234564858c80bd707fdfb88fc27e23f193b633f5eea5355c6826eee3cf33e20a5aeffdfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
24f4f2397fdd7c99fba669aec226b944

SHA1
88c6fce14fbb407b511ffac14b0db8e0232d7fe8

SHA256
c0ebcb8f81e22319ecd93bc89eed3cc2c7163f8ed46911ecf817f95e80da34ec

SHA512
741dc1866212cb2c13dcd7616c51a8316ed9ff776f29dea914dda79f1539ef1f4d75e91a9cb20065e7597397ba3fb11d9830572ecc910c67c63ec59bcc09f26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
09b3d0257fee6eb8c3faa985fefdaa0e

SHA1
d4f1237e6a14ea1617fa09c33b80cd567e02acd9

SHA256
f55fd9bfada83a171e0d7a2de7757817cf63c010d972a8177b1bb189c8945838

SHA512
0c691175154c34fca47cd8c53e8a7891a27537215f4f7de38261f73f9943339017f7e9cc5378972fea923af346ae1740c84916f5283ccad641728e39bbf87fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
1d3813850de5d2e4953937eb905b818b

SHA1
a3b7945f83305d18e2a4a5f7600dfccd015c98a5

SHA256
e4917832c69d5fdf591de2d352f34fd42dfbdf505e50d0c85c6de300b21f122a

SHA512
0d3ee04e8931378e0080f9285e0a2bcc535d456cdb58cddc4181722e5cb2b7404a69fe7d44b1c364a7f8fc6388183a4517ef314844e737401314ef227735b965

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
4e69daef7693a9ff712f99966e59e43d

SHA1
5b079a68163d131c0135e9220d2b7c6d96a84c4a

SHA256
938e329edc54609048665f010e299f7c29507fc128a9722ad6dda07fc8af39af

SHA512
9610971a46d497e39782d94739f63523bbb48afc3869536e549da1ecd28e1c678622b5eb3ca3d1accf37ae7c67e2df1e49716f9dada68822883c5edaf5ef3638

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
e7627572fe96747162e987082c642801

SHA1
d95c107d51edda92fafc32fcbd8d9009363a5167

SHA256
a056b423d72e4bff0ea136d7bf6885ae8a954055d0bf8ec5e528c4e281af2db0

SHA512
0aa809d3fc0b5c668e64717a9d7dc9d3278429fbc41470a4cad1598e7c1051b5f6c5bea838f065886571b46c79cf44470345a3c8ad5187fa297690f805cff6f1

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
90ab68de8be8b50b4a72d0adb7937b77

SHA1
bb827c627f82bd3a9002e906ba17a749f4b103b5

SHA256
17806ffc096d1249d3f27e2aa21fe1bb582ef71b5f329e22f924874f1b1511c7

SHA512
b46e0447d614208ecc023c4848f07d704bac354a1231c1cbed4d08c932d15d74737a0cda1d6594e7a58965e662b5c55fd5d88e73f3b89d8fa54d0a098df5a9f8

Download Submit
C:\Windows\SysWOW64\4K51K4.exe.tmp

Filesize
323KB

MD5
2796a81c8af547b8af82e821064896f6

SHA1
9d25ef519c9f36ce1fb2d0873e2bf14a7828ae33

SHA256
2f3c9e031d1a4c889a508ae176f0ec3777664db44730bbe4dee1fff537544593

SHA512
98757b7a5246014eb6d5dc21bccfd3e896eb543f037a70b20185dd987359ffebad0077ac18a451a5ba272386ff0823ffbf5aaabf21c953b0d5d456c96fbcbc0d

Download Submit
C:\Windows\SysWOW64\Folder.ico

Filesize
7KB

MD5
d7f9d9553c172cba8825fa161e8e9851

SHA1
e45bdc6609d9d719e1cefa846f17d3d66332a3a0

SHA256
cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

SHA512
a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
e8d34586e653cd3d4c945ddfadbc8109

SHA1
5f98094efd8798d2054bd72e4378f1201f7bf15d

SHA256
baf49fac2742120caad6a03ce050a940f402d0317f5422040aed8bcde84013e5

SHA512
4396a4721c6156ff464c122fc1f49b4619fe667cdc8e66f3db066d14bdc78ae23e1e3ad14c7b1c09d7535f06fb543f70ff2df1bb2f7880f12e776d639b2520eb

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
bffcb3b265905dcd15503d306cf6faae

SHA1
5971fb2aa44163d1ad18a13a00e7836dc1634f82

SHA256
788e90f6c82a39bee2f10e7a24b8673142d61564811d6c182da3b9093f8b7c81

SHA512
cd2db0b5f3c870599ef928f13ce0cc80122bb93c99e1c5a7b05b957b2fb5b0306009de5f254d81721c0fc85800acfa0b07542f9aec2d7dec1b793a2a391f7067

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
dd10dab154c01dec5f447ccc62fa11a6

SHA1
10fb2f9607aeb1447e27f06e5a2eb9a5c98c45f5

SHA256
185329d972775a21a3433106ace7b884798c41737ac3a27e331b4c299f2bb76c

SHA512
1cf8d1456aca976470b9b4ee073cd434f7a668ac08e974d4b0105b2ce217c197d355939c484c56fab0d5ad1077974c2e326cb22a1928655522d92e7cebee5238

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
a49d71e03a18294410c3ba747b173132

SHA1
4d5b1eb39b5fab9db7c32e4c2e01299d6d14cbf9

SHA256
2754084a48525fa2ce6a8b64c980a9a04f4a392673569cdaf7aed734047fb7b5

SHA512
b07e6c65d3a8cd365e90343e5850b1745fe82add9a2468c3d939d41c9ef5ebc4a2cbf78cbf0b3a0de8348a10b625f7a70ce50f5b6385c3fc35ce19b63ce1dc47

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe

Filesize
323KB

MD5
d4455c8442f495731b2836c5ac1ee2f2

SHA1
38346b47977ec73ac116c3ab72643433d1c8233b

SHA256
daeba9134d1d54fa8237d12acde258ba49f1225a02ee11ae4611b2964a316595

SHA512
f8ca7840001ec3d1a7c3e4bc38e8e8749c35cfbc637cf6b16f65490d2b8c94f6b905bb7562ff3ec085e03944a2104af9a4d084ea6c601cf56ac3f5c1c567d013

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
cfa19e14f738d282b4016f2abb59dbfa

SHA1
03cf162ffc0dd0e1669885806360b6b1d26f16df

SHA256
17647d78dad702a5bff5606f0d93875eba3fafa7dfa2bc8f09ee669412efabf0

SHA512
9e86cff14512041706723f3588f7e6a8e8201e64a748c18f8d399412c0b29f4f98afb193dfdf56655a38df3b6109add1594e4373f5c5fb8dda451c9d7b8b4c7a

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
0544c16f37a4dc3bde2af58efc70b365

SHA1
e4a5d4bff0013d8a5e0f220c5807c1d27aeaafe4

SHA256
991fd23459bdd117293488ce535d396724b50110a7cfb974723ccd916566a8b5

SHA512
069f453c1a50cdd986f5e9bd650ab9fc00765de27e44e0c19b529abd15f015f7605795f4e0ff94e4e4961ca9a3e7a1cfed0577bdc498408b50c736ea967d1ac0

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
caa8c01c3690a760fa3dda2a17872a52

SHA1
e2cd6c83facdd9380cc0b221aa1893f89fca0eda

SHA256
61a2f3c02300a8db8b0b15b86f9867725808a32d0aaae9bdfe699980f2739bf9

SHA512
15b802c9ee92cb39dec1fe46d59db46aa57c22dc0506d36d9d56261fb4f9f5c0c8795ffb24d17b1cb6a4ddc20465d7e9767d4801c09bc49352c6ce9eda419dcc

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
05431426d9ef30ba1bc72d4fe53ce04c

SHA1
93cba6fe656ac7cc49f2711a3d69a141702c642a

SHA256
022bd2132ccb6486a3ed8ce3b60f88e09a5feaf91abf991feeda0c9b161b5e7b

SHA512
dfe5def0f34c1a71c3e1b43b4cd21d9767922a1ee3850c773e739854776916c123c46da9244043b6d5490dddcda0748e1a0cafe31d6b87bd34f1766cd562e244

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
23853cc6aa4086715f3d3a86db60096a

SHA1
d72cd79f619457833138816dfe75605a59f2a2ee

SHA256
17ff6f36800f502727263cdbe26814a2b7a6d4884886b625f29589434e922675

SHA512
9b2f175eb60f5d8f47d35f62e6c0ae205582916a10de3dcd10fe4c6e10765c002f1ec82caaadc0775d346e45a81bd0e4c82ace67d75d13861bf817cbd61a4191

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
2f1e9e3378d35ff0a56043ba0c6a19a1

SHA1
963685994e6ae61d80d5843d28b1f4852445e7a9

SHA256
1ba52b97dc0522a3cee414bfa1d2f776baa26ef2be9606f6292b1aaf3720e3a1

SHA512
e508486b2dd809976b22b566b749e87425dd0ae4fa3d01f329186f37a48b199a7a92831396569a8848383af2f8e4c414d1d7aeeed5fbb5c3a5c1554410367a22

Download Submit
C:\Windows\SysWOW64\Player.ico

Filesize
2KB

MD5
43be35d4fb3ebc6ca0970f05365440e3

SHA1
87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

SHA256
5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

SHA512
b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

Download Submit
C:\Windows\SysWOW64\Shell32.com

Filesize
323KB

MD5
628d7e7f3870cdd1423354e0af41e844

SHA1
9a91422817c3b3176e3fc5fd5e5004cee4fa7edf

SHA256
185621c268df14180852d020357ba73f401cbcbb89f7a43baa0f0853d95f9384

SHA512
5e16f0fa18167252e7951fdfc07066dbec7b09bf978f7ba49e153be27f6a2c1a1b31bd0117c6b9e78070ce997469ba09297603ec8cb4908f799b6b4bab13da7e

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
185029d8e3462485453ce880e7b0c3d3

SHA1
7a2704499a575e32c298899f53f51fa5095dadd6

SHA256
45878565211ae467b2ce7308c415d97b94052e969c377b92c2b0d134f2c6f0a3

SHA512
33fa151b7e6ebcd178cb7e17cb3ce29a10d3224ffe0f7372ca64b7b5dbc724a844e791b2802747ebd9114bff1ff5f331983a66f5847c63ec9e7b16e01df8b61e

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
179a1c04de7142bdb24dff2f7c2e9788

SHA1
bb6647b53effffeb640900c0385acdde95f279ae

SHA256
9ca50051aa9bf76fb1a87f7fb92a67d9b45ba367ea875db763270cd30a3ccb0c

SHA512
a0c790b5d221234d139d8995e8a652d31162202f497c18dd96216c9bdb87e799d9c3bd3609b0af684010237a3ecf4af0c85ddf08d46cd891c5bf5377454e53ae

Download Submit
C:\Windows\SysWOW64\Word.ico

Filesize
3KB

MD5
8482935ff2fab6025b44b5a23c750480

SHA1
d770c46d210c0fd302fa035a6054f5ac19f3bd13

SHA256
dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

SHA512
00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico

Filesize
2KB

MD5
62b7610403ea3ac4776df9eb93bf4ba4

SHA1
b4a6cd17516f8fba679f15eda654928dc44dc502

SHA256
b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

SHA512
fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

Filesize
323KB

MD5
a0cc9b8f5aecd5aa8b5ad63efb8e3596

SHA1
2513f200a828f83ed306e56eeb1ae55188fec49e

SHA256
174134e17b39a68658889893e11048940daa92195e9b60536abde12dae5ceb6e

SHA512
5009df3d3823fb817d02e9a9c16a926e31f2e66cc2690e92df560df24ddf33fd8a148af8c70e24959361db58e5ce5cdd74bd5dff0332390a40c73f6847323faa

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

Filesize
323KB

MD5
443fabf98aa74f9c94c4dd39abffe92a

SHA1
46d7d3c54d641472fb14845c6a3b8c2d5328fa13

SHA256
6260e072bbe8c3d5ece0ccbb70d49b282a8881275b854900df5fc1b7accb2681

SHA512
478bd505e5fd5755037de1222a00192030c88d95fd98e6317153691338ec64922765603ec8050f0ece6c239bd7d6c59ea10c7f100e477809a42a787a7d46b46b

Download Submit
\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
a23f3083c0c9b639a003c1be19cdbf88

SHA1
7d9fc117082cf1768024f00998fc7397b6fb54ff

SHA256
7b4aabb6803e39d9e9fbecf02010d2ae5f7d11896c6c7bc8afd14b6a19e58c08

SHA512
25e5d4e4650a5f7efd849d1c8490f1f45027919a8bda35e2066c3c1b9c49c5af60d2c9c3619de7cacfc4d34622dcbb117488a6b58150071248d54de58f6c82ff

Download Submit
\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
5fcc9595184479c6e1fd80f78029e615

SHA1
ccb9ce79441b1e795d0cc7c9ba8855cdae3eac0a

SHA256
7aca30db8e714af715122763b75b8fdc4ad4e8dce1c97f8f8f89bdddb45fbe87

SHA512
7d7099b524ed4c4004ec71a51c73eda2b2fb357904fa655e4f9421756b4c5cfd5fba0209afb566a77afd29d72ca21c4c9cbe2ad012f02aed9b967ff2102eb962

Download Submit
\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
19cf50fca373feeeb84a59b881d91916

SHA1
b800e6683952294dc83cb27c9ee1a5d060abad56

SHA256
6558eb79d122ad300bfdcbc47e189595bab946e8afb2891e09ce9d4b937accf6

SHA512
35ddfce5cc3e30460eb350086b05fd26de4305e11092cbe84b3f4dc2e8a2fe2b7b63f00c224905f6da61bb5d35139a159f26a49128ebad99ca15de5c560099a7

Download Submit
memory/1328-211-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1704-362-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1972-323-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2208-352-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2404-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2520-346-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads