Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:39
Static task
static1
Behavioral task
behavioral1
Sample
753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe
Resource
win10v2004-20220812-en
General
-
Target
753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe
-
Size
119KB
-
MD5
e1c86402102193d7513f774e10183316
-
SHA1
a83ed3d982bb03e69e1401077f452b4ea2356f49
-
SHA256
753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686
-
SHA512
aec3d96c7fbebb87cfac84b8a419bae7333c1a71b6642d9011e04dc0e615015a57c2e6d0504f1ed9cf9b686e7bcb58cc1b72d718178797ba00c418b427409ebc
-
SSDEEP
3072:RuJmRt+O9qCDYuGJixWjNmBGlF36+T/c/:PRUCjFfG3hc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ghost.exepid process 2200 ghost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ghost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a837f6c4e038081ba6f098f3f9647f80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ghost.exe\" .." ghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a837f6c4e038081ba6f098f3f9647f80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ghost.exe\" .." ghost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
ghost.exedescription pid process Token: SeDebugPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe Token: 33 2200 ghost.exe Token: SeIncBasePriorityPrivilege 2200 ghost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exeghost.exedescription pid process target process PID 4648 wrote to memory of 2200 4648 753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe ghost.exe PID 4648 wrote to memory of 2200 4648 753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe ghost.exe PID 4648 wrote to memory of 2200 4648 753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe ghost.exe PID 2200 wrote to memory of 404 2200 ghost.exe netsh.exe PID 2200 wrote to memory of 404 2200 ghost.exe netsh.exe PID 2200 wrote to memory of 404 2200 ghost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe"C:\Users\Admin\AppData\Local\Temp\753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\ghost.exe"C:\Users\Admin\AppData\Local\Temp\ghost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ghost.exe" "ghost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ghost.exeFilesize
119KB
MD5e1c86402102193d7513f774e10183316
SHA1a83ed3d982bb03e69e1401077f452b4ea2356f49
SHA256753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686
SHA512aec3d96c7fbebb87cfac84b8a419bae7333c1a71b6642d9011e04dc0e615015a57c2e6d0504f1ed9cf9b686e7bcb58cc1b72d718178797ba00c418b427409ebc
-
C:\Users\Admin\AppData\Local\Temp\ghost.exeFilesize
119KB
MD5e1c86402102193d7513f774e10183316
SHA1a83ed3d982bb03e69e1401077f452b4ea2356f49
SHA256753061b696cf1a88a29ef2faf43753547f12563bea7210351205b7f9dc032686
SHA512aec3d96c7fbebb87cfac84b8a419bae7333c1a71b6642d9011e04dc0e615015a57c2e6d0504f1ed9cf9b686e7bcb58cc1b72d718178797ba00c418b427409ebc
-
memory/404-138-0x0000000000000000-mapping.dmp
-
memory/2200-133-0x0000000000000000-mapping.dmp
-
memory/2200-137-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/2200-139-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/4648-132-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/4648-136-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB