Analysis
-
max time kernel
140s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-03-2023 04:09
Behavioral task
behavioral1
Sample
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe
Resource
win10v2004-20230221-en
General
-
Target
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe
-
Size
1.5MB
-
MD5
e1bd4fb175ce3cc7fcf71c3fb23af564
-
SHA1
503f2207e2932b968c95e407358d2ac0233006e1
-
SHA256
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657
-
SHA512
0e1e4f20a8f27b0216d4216e661cdf7671c2a161a3c9bcdf4d0e8a4c9e59c858ee72b372c363e0e12f4a75dd6082a9337790da0edbf3d2f1b635d6754b1b048f
-
SSDEEP
24576:EiNAsL1KSIBjSCp26JLJd9uWMnArfLzI36hdYGdvubM2leJgInedj495KVY8Dup3:EOA+peSa2uLJFMnArfLxhdYQvuFlWXnK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ghost32.exepid process 1356 ghost32.exe -
Loads dropped DLL 1 IoCs
Processes:
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exepid process 1308 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ghost32.exe upx \Users\Admin\AppData\Local\Temp\ghost32.exe upx C:\Users\Admin\AppData\Local\Temp\ghost32.exe upx C:\Users\Admin\AppData\Local\Temp\ghost32.exe upx behavioral1/memory/1308-65-0x00000000009E0000-0x0000000000BD2000-memory.dmp upx behavioral1/memory/1356-67-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral1/memory/1356-69-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral1/memory/1308-72-0x00000000009E0000-0x0000000000BD2000-memory.dmp upx behavioral1/memory/1356-77-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral1/memory/1356-78-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral1/memory/1356-79-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral1/memory/1356-80-0x0000000000400000-0x0000000000790000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ghost32.exedescription ioc process File opened (read-only) \??\D: ghost32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ghost32.exedescription ioc process File opened for modification \??\PhysicalDrive0 ghost32.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1308-65-0x00000000009E0000-0x0000000000BD2000-memory.dmp autoit_exe behavioral1/memory/1308-72-0x00000000009E0000-0x0000000000BD2000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exedescription pid process target process PID 1308 wrote to memory of 1356 1308 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe ghost32.exe PID 1308 wrote to memory of 1356 1308 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe ghost32.exe PID 1308 wrote to memory of 1356 1308 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe ghost32.exe PID 1308 wrote to memory of 1356 1308 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe ghost32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe"C:\Users\Admin\AppData\Local\Temp\9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ghost32.exeC:\Users\Admin\AppData\Local\Temp\ghost32.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ghost32.exeFilesize
1.0MB
MD5e85ec5451f3ba04e881d7cb599981a12
SHA172189b3e4c8806976f67d8d175981acfaeb61bb0
SHA2561331f9996132b340524b70bc6461790277c23d0dc37ef9a84a3b2df49fbb96cc
SHA5125b0bb58076dc6c03dc4816b9e017f616950dd92fb1e017fd92517aab69276c540c1912913426707052fd77b8e3b19f660497c9b32aa1e4716d2eb0caa19d9b2a
-
C:\Users\Admin\AppData\Local\Temp\ghost32.exeFilesize
1.0MB
MD5e85ec5451f3ba04e881d7cb599981a12
SHA172189b3e4c8806976f67d8d175981acfaeb61bb0
SHA2561331f9996132b340524b70bc6461790277c23d0dc37ef9a84a3b2df49fbb96cc
SHA5125b0bb58076dc6c03dc4816b9e017f616950dd92fb1e017fd92517aab69276c540c1912913426707052fd77b8e3b19f660497c9b32aa1e4716d2eb0caa19d9b2a
-
C:\Users\Admin\AppData\Local\Temp\ghost32.exeFilesize
1.0MB
MD5e85ec5451f3ba04e881d7cb599981a12
SHA172189b3e4c8806976f67d8d175981acfaeb61bb0
SHA2561331f9996132b340524b70bc6461790277c23d0dc37ef9a84a3b2df49fbb96cc
SHA5125b0bb58076dc6c03dc4816b9e017f616950dd92fb1e017fd92517aab69276c540c1912913426707052fd77b8e3b19f660497c9b32aa1e4716d2eb0caa19d9b2a
-
\Users\Admin\AppData\Local\Temp\ghost32.exeFilesize
1.0MB
MD5e85ec5451f3ba04e881d7cb599981a12
SHA172189b3e4c8806976f67d8d175981acfaeb61bb0
SHA2561331f9996132b340524b70bc6461790277c23d0dc37ef9a84a3b2df49fbb96cc
SHA5125b0bb58076dc6c03dc4816b9e017f616950dd92fb1e017fd92517aab69276c540c1912913426707052fd77b8e3b19f660497c9b32aa1e4716d2eb0caa19d9b2a
-
memory/1308-72-0x00000000009E0000-0x0000000000BD2000-memory.dmpFilesize
1.9MB
-
memory/1308-65-0x00000000009E0000-0x0000000000BD2000-memory.dmpFilesize
1.9MB
-
memory/1308-66-0x00000000037D0000-0x0000000003B60000-memory.dmpFilesize
3.6MB
-
memory/1356-67-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/1356-69-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/1356-77-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/1356-78-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/1356-79-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/1356-80-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB