GGH[.]exe | Triage

Sharing

General

Target

GGH.exe
Size

92KB
MD5

187085f60a15d78358d268cf183367e6
SHA1

1e13b0fc5b939e8083963abffda959c33475d161
SHA256

d223d35d360566205c14a9175d5856a63adaf7464c728526b22baee6e9388018
SHA512

52d003c0c257646ae15341f740a4bb5aea2445f796957b8fd7abaa19b0ca612bf2f2fcdf34adc99bfb820e2d6569a0dbb7f7bf0842b6fc6ea534e72c0d816ed9
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4AOHYncfbfTLY+7L+v7/Nthwydlfssi:Qw+asqN5aW/hL+YnGbLY+GzPqyd5

Score

10^/10

Malware Config

Signatures

Detects win.dharma. 1 IoCs

Processes:

resource yara_rule

sample win_dharma_auto

Identifies DHARMA ransomware 4 IoCs

Processes:

resource	yara_rule
sample	Windows_Ransomware_Dharma_aa5eefed
sample	Windows_Ransomware_Dharma_b31cac3f
sample	Windows_Ransomware_Dharma_e9319e4a
sample	Windows_Ransomware_Dharma_942142e3

Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

GGH.exe

Files

GGH.exe
.exe windows:5 windows x86 arch:x86

f86dec4a80961955a89e7ed62046cc0e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\crysis\Release\PDB\payload.pdb

Imports

kernel32

GetProcAddress
LoadLibraryA
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetLastError
EnterCriticalSection
ReleaseMutex
CloseHandle

Sections

.text
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE