Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 04:59
Static task
static1
Behavioral task
behavioral1
Sample
ghost.exe
Resource
win7-20220414-en
General
-
Target
ghost.exe
-
Size
78KB
-
MD5
d7d0564f6660199dfa918a5cfbffe490
-
SHA1
726988b123d3ede065c515707d4172408517510b
-
SHA256
0f98cc9005f90608a75dbbc44900d421a0f36bfed48f491fce45902ba138e988
-
SHA512
e755dec73cdc0bae337e677a4c8e129f57bfffec6bbe8f731e73e0d4c68bdb10eb1bdfbe9fdd8e0edfac594963a8bc8ece5e5da3d8482e33b79081995e6fd35e
Malware Config
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1772-130-0x0000000000400000-0x0000000000417000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ghost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ghost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exetaskmgr.exepid process 560 powershell.exe 560 powershell.exe 1980 taskmgr.exe 1980 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 1980 taskmgr.exe Token: SeSystemProfilePrivilege 1980 taskmgr.exe Token: SeCreateGlobalPrivilege 1980 taskmgr.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
taskmgr.exepid process 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
taskmgr.exepid process 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe 1980 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ghost.exedescription pid process target process PID 1772 wrote to memory of 560 1772 ghost.exe powershell.exe PID 1772 wrote to memory of 560 1772 ghost.exe powershell.exe PID 1772 wrote to memory of 560 1772 ghost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ghost.exe"C:\Users\Admin\AppData\Local\Temp\ghost.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\ghost.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-136-0x0000000005FF0000-0x0000000006056000-memory.dmpFilesize
408KB
-
memory/560-131-0x0000000000000000-mapping.dmp
-
memory/560-132-0x0000000002D80000-0x0000000002DB6000-memory.dmpFilesize
216KB
-
memory/560-133-0x00000000057E0000-0x0000000005E08000-memory.dmpFilesize
6.2MB
-
memory/560-134-0x0000000005700000-0x0000000005722000-memory.dmpFilesize
136KB
-
memory/560-135-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/560-137-0x00000000066C0000-0x00000000066DE000-memory.dmpFilesize
120KB
-
memory/560-138-0x0000000007670000-0x0000000007706000-memory.dmpFilesize
600KB
-
memory/560-139-0x0000000006BD0000-0x0000000006BEA000-memory.dmpFilesize
104KB
-
memory/560-140-0x0000000006C40000-0x0000000006C62000-memory.dmpFilesize
136KB
-
memory/560-141-0x0000000007F30000-0x00000000084D4000-memory.dmpFilesize
5.6MB
-
memory/560-142-0x0000000008B60000-0x00000000091DA000-memory.dmpFilesize
6.5MB
-
memory/1772-130-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB