Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 04:09
Behavioral task
behavioral1
Sample
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe
Resource
win10v2004-20230221-en
General
-
Target
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe
-
Size
1.5MB
-
MD5
e1bd4fb175ce3cc7fcf71c3fb23af564
-
SHA1
503f2207e2932b968c95e407358d2ac0233006e1
-
SHA256
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657
-
SHA512
0e1e4f20a8f27b0216d4216e661cdf7671c2a161a3c9bcdf4d0e8a4c9e59c858ee72b372c363e0e12f4a75dd6082a9337790da0edbf3d2f1b635d6754b1b048f
-
SSDEEP
24576:EiNAsL1KSIBjSCp26JLJd9uWMnArfLzI36hdYGdvubM2leJgInedj495KVY8Dup3:EOA+peSa2uLJFMnArfLxhdYQvuFlWXnK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ghost32.exepid process 4368 ghost32.exe -
Processes:
resource yara_rule behavioral2/memory/1716-133-0x0000000000090000-0x0000000000282000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\aut6660.tmp upx C:\Users\Admin\AppData\Local\Temp\ghost32.exe upx C:\Users\Admin\AppData\Local\Temp\ghost32.exe upx behavioral2/memory/4368-144-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral2/memory/1716-145-0x0000000000090000-0x0000000000282000-memory.dmp upx behavioral2/memory/4368-146-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral2/memory/1716-148-0x0000000000090000-0x0000000000282000-memory.dmp upx behavioral2/memory/4368-152-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral2/memory/4368-153-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral2/memory/4368-154-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral2/memory/4368-158-0x0000000000400000-0x0000000000790000-memory.dmp upx behavioral2/memory/4368-159-0x0000000000400000-0x0000000000790000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ghost32.exedescription ioc process File opened (read-only) \??\D: ghost32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ghost32.exedescription ioc process File opened for modification \??\PhysicalDrive0 ghost32.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1716-133-0x0000000000090000-0x0000000000282000-memory.dmp autoit_exe behavioral2/memory/1716-145-0x0000000000090000-0x0000000000282000-memory.dmp autoit_exe behavioral2/memory/1716-148-0x0000000000090000-0x0000000000282000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exedescription pid process target process PID 1716 wrote to memory of 4368 1716 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe ghost32.exe PID 1716 wrote to memory of 4368 1716 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe ghost32.exe PID 1716 wrote to memory of 4368 1716 9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe ghost32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe"C:\Users\Admin\AppData\Local\Temp\9db6e32b706235b07706d22f35eaa4cdb92c3c66acccc7f9b89f65ef819eb657.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ghost32.exeC:\Users\Admin\AppData\Local\Temp\ghost32.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aut6660.tmpFilesize
1.0MB
MD5e85ec5451f3ba04e881d7cb599981a12
SHA172189b3e4c8806976f67d8d175981acfaeb61bb0
SHA2561331f9996132b340524b70bc6461790277c23d0dc37ef9a84a3b2df49fbb96cc
SHA5125b0bb58076dc6c03dc4816b9e017f616950dd92fb1e017fd92517aab69276c540c1912913426707052fd77b8e3b19f660497c9b32aa1e4716d2eb0caa19d9b2a
-
C:\Users\Admin\AppData\Local\Temp\ghost32.exeFilesize
1.0MB
MD5e85ec5451f3ba04e881d7cb599981a12
SHA172189b3e4c8806976f67d8d175981acfaeb61bb0
SHA2561331f9996132b340524b70bc6461790277c23d0dc37ef9a84a3b2df49fbb96cc
SHA5125b0bb58076dc6c03dc4816b9e017f616950dd92fb1e017fd92517aab69276c540c1912913426707052fd77b8e3b19f660497c9b32aa1e4716d2eb0caa19d9b2a
-
C:\Users\Admin\AppData\Local\Temp\ghost32.exeFilesize
1.0MB
MD5e85ec5451f3ba04e881d7cb599981a12
SHA172189b3e4c8806976f67d8d175981acfaeb61bb0
SHA2561331f9996132b340524b70bc6461790277c23d0dc37ef9a84a3b2df49fbb96cc
SHA5125b0bb58076dc6c03dc4816b9e017f616950dd92fb1e017fd92517aab69276c540c1912913426707052fd77b8e3b19f660497c9b32aa1e4716d2eb0caa19d9b2a
-
memory/1716-133-0x0000000000090000-0x0000000000282000-memory.dmpFilesize
1.9MB
-
memory/1716-148-0x0000000000090000-0x0000000000282000-memory.dmpFilesize
1.9MB
-
memory/1716-145-0x0000000000090000-0x0000000000282000-memory.dmpFilesize
1.9MB
-
memory/4368-146-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/4368-144-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/4368-152-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/4368-153-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/4368-154-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/4368-158-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/4368-159-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB