77e1057610728dbf0ca383cce7c48eb6adb17a145d4ad04efb1fbd22f3dbf1f8

Analysis

max time kernel
166s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e00d55dcded5c934c87be7f95974926.exe
Size

56KB
MD5

2e00d55dcded5c934c87be7f95974926
SHA1

ccab0dd3f57c3ca2deb3dbe7fcee179d4f7d5e0f
SHA256

77e1057610728dbf0ca383cce7c48eb6adb17a145d4ad04efb1fbd22f3dbf1f8
SHA512

2b83e5338dfe98b6ae242c91b8c8269d575ae3289d705ba5e7ecae0a5d29285e8b5b06673f9b3ef6ed884db8927a2931da325444faa3540e877444cd7783c6d9
SSDEEP

768:MvC4Xbq8SKfB1i32Sg3RMu104eMCh4HsO5RrZcfJcfl:2Csb7SKJ1i32S4OObg4baO

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ghost.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	ghost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "ÏµÍ³ÉèÖÃ"	ghost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\hackshen.vbs"	ghost.exe

Executes dropped EXE 1 IoCs

pid	Process
3120	ghost.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ghost.exe
File opened (read-only)	\??\H:	ghost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\ghost.exe	2e00d55dcded5c934c87be7f95974926.exe
File created	C:\Windows\Tasks\hackshen.vbs	ghost.exe
File opened for modification	C:\Windows\Tasks\hackshen.vbs	ghost.exe
File created	C:\Windows\Tasks\ÂÌ»¯.bat	ghost.exe
File opened for modification	C:\Windows\Tasks\ÂÌ»¯.bat	ghost.exe
File created	C:\Windows\mfxixue.ini	ghost.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1692	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe
3120	ghost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3120	ghost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 3624	3284	2e00d55dcded5c934c87be7f95974926.exe	90
PID 3284 wrote to memory of 3624	3284	2e00d55dcded5c934c87be7f95974926.exe	90
PID 3284 wrote to memory of 3624	3284	2e00d55dcded5c934c87be7f95974926.exe	90
PID 3624 wrote to memory of 1692	3624	cmd.exe	92
PID 3624 wrote to memory of 1692	3624	cmd.exe	92
PID 3624 wrote to memory of 1692	3624	cmd.exe	92
PID 3624 wrote to memory of 3120	3624	cmd.exe	93
PID 3624 wrote to memory of 3120	3624	cmd.exe	93
PID 3624 wrote to memory of 3120	3624	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\2e00d55dcded5c934c87be7f95974926.exe
"C:\Users\Admin\AppData\Local\Temp\2e00d55dcded5c934c87be7f95974926.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\killme.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1692
- - C:\Windows\Tasks\ghost.exe
    C:\Windows\Tasks\ghost.exe
    3⤵
    - Drops file in Drivers directory
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\drivers\etc\hosts

Filesize
912B

MD5
48ec95bacc8186d72cce11b9584faeb7

SHA1
0a6900de60be125b545d36a55f56bd0f7db18d32

SHA256
402d34fd239a2ecdc35929964d2ba2b8094fc601cee519955734994c67d3d79c

SHA512
42115db0a178b8ff4f80d932b1c716724f52159c9e00cab154c6b984bbc1a726947c560cf74821a49876b7d9fa491791e5a5ce5a6e3545ee6fd7c5a0bfc6873d

Download Submit
C:\Windows\Tasks\ghost.exe

Filesize
56KB

MD5
c2fd82c8e6284d743bb65f76529cb181

SHA1
68e43a91b0e3b204941d2049c451dfbd10ddcd64

SHA256
8d52f829b6ec99d9b68927d39ee3dfa4ff1c319f78e90b27c1b8b1268f53e283

SHA512
c7064ea3b25766e327cf86adf53538a72d356bfc47b7b30a65f5b1310ebd72ef829081215772a1fba5a9db1c812c30acb35ef5f623857c032d78efa1f8efafb9

Download Submit
C:\Windows\Tasks\hackshen.vbs

Filesize
97B

MD5
1116c85bde2127bf8df9b9f9315fa76e

SHA1
c840088467ed3a448ed113bb1fac61ad28c41867

SHA256
56632bd650aca56d077bd6ad20b0db1b34968ff90dcbeb083cf4cd1b6f80cdba

SHA512
054cf51780ddfa128a66ca1ea46a5927a2c4cf27794079902c5907ff0f0bd9792d3c22663888efea7436613ff162aa36a822b71cfed47e1e45082a7d5fb2930c

Download Submit
\??\c:\killme.bat

Filesize
131B

MD5
0266616df4ad9da3081cb44c4968eaef

SHA1
4f5044a5c9fbfec9e640fae269e211c58d821f20

SHA256
b53cc7ff24228c464878cc2159411cb9c9ba21466a98c49623e466b98d2c24f6

SHA512
3f9f1730af1c928b3307ad39f9364e08b8bc9592ba70966227cee64e5754c2ca60094e6d6ba413d970282d70d6d13431a254d5b9441ae184132738efd8a1642b

Download Submit