45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2023 05:56

Target

45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Size

837KB
MD5

4adfb6f8016814ec30963ff701589e79
SHA1

d2f931ce591279253fe864e7bf321a9b63efdabe
SHA256

45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753
SHA512

6cf73737da5ce83f8d2b40de9b7a7e1cb3b8e6cf7d56ac78d50c5c05890a4ae978304bb478d6062a7ed7a21f25ec6bc61e0755c63c1be7dafbc58ba395e74129
SSDEEP

12288:1CWAgK7+OPpibO9Ntm0gpy456IElQUnByNfJvSdfDzNSjYcwhtGL0iIzg:VYqsNtm0ggiaQ0BybvinmYSLO

Score

6^/10

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

description ioc process

File opened (read-only) \??\B: 45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\B:	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

Modifies registry class 8 IoCs

Processes:

45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ghost	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ghost\ = "Ghost ????"	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ghost\shell\open\command	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ghost\shell	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ghost\shell\open	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ghost\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\45BB26~1.EXE \"%1\""	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gho	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gho\ = "Ghost"	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

pid process

1876 45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

pid	process
1876	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe
1876	45bb2670cdc134db08057ea0588f7c36e88c894cd138e02b6770173ab478b753.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1876-133-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/1876-135-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download