Analysis
-
max time kernel
508s -
max time network
509s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
19-07-2024 17:51
Errors
General
-
Target
Ghostpress.zip
-
Size
7.3MB
-
MD5
4a2fe69e24454bc45cdf7cb4c5d16614
-
SHA1
3acf8e808f003f8f62b8a8b90afa4ab3238aaa17
-
SHA256
bba117558703b80e9e3dec401f3de3989b8ce720e4f5fe07e82a253be6e129fb
-
SHA512
23dc963a9e245037d757070f52809f7b6c865f612e1c5803f3f07ac92eec4f7398d40b682de1e076b7ea7a2d42df98d297d5f6c0f6d9c5fdfccb3d2b1c14dc35
-
SSDEEP
196608:g9fiuy15gdcTpiC6gvxd64f8goVib6yTJXggVKPOJ9:4fiuyCGsC6s3f8Pc1QgV689
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 17 IoCs
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 32 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 34 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Ghostpress.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB8" /xml "C:\Users\Admin\Desktop\Ghostpress_Data\SkipUAC.xml"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB83⤵
-
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB84⤵
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Help.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A26F1EE648353E469E77E8437530DDF --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=158028CCC663F0C08A62369AB0656A84 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=158028CCC663F0C08A62369AB0656A84 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:13⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B500B0D8C555F2F6D467C99332FFB9C8 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D6D69999C2380946F5CC2939046836DF --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3166B05BD8BDF4666DDBE3F681C99FF1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3166B05BD8BDF4666DDBE3F681C99FF1 --renderer-client-id=6 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job /prefetch:13⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=937EF6C5C7ADAEBB44E109489DAB98C4 --mojo-platform-channel-handle=2716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB83⤵
-
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB84⤵
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Error.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB83⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Ghostpress_Data\Reset All.cmd" "1⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 52⤵
- Runs ping.exe
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Ghostpress_Data\Lang\EN.ini1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Ghostpress_Data\Reset Setup.cmd" "1⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 52⤵
- Runs ping.exe
-
-
C:\Users\Admin\Desktop\Ghostpress.exe"C:\Users\Admin\Desktop\Ghostpress.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB8" /xml "C:\Users\Admin\Desktop\Ghostpress_Data\SkipUAC.xml"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x328 0x4ac1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa38e7055 /state1:0x41c64e6d1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Ghostpress.exeC:\Users\Admin\Desktop\Ghostpress.exe utilman.exe /debug1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Query /TN Ghostpress_SkipUAC_4EE9CE50356D01809D0E4F8C1E96CBB82⤵
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Users\Admin\Desktop\Ghostpress.exeC:\Users\Admin\Desktop\Ghostpress.exe utilman.exe /debug1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\Utilman.exe"C:\Windows\System32\Utilman.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\Ghostpress.exeC:\Users\Admin\Desktop\Ghostpress.exe utilman.exe /debug1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\Utilman.exe"C:\Windows\System32\Utilman.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD551793b9c4164a2e17c437d5e4c517e85
SHA1c09e3237dbb433ff0a5e3bb912e67a214f0f139d
SHA2569665b41b23b9dec32a483531f3fb09f9d311a1b8060c4abfb20cfb0e8eb9b34a
SHA5126e2e8f5d467bc0a5ca226139a238844cc1c41f18c98fcdbe809aa83df7da69a629b549b8503cad2d7e50784b04527f33cf6c4f3e60434a394abca25fb2fd463c
-
Filesize
64KB
MD53490ed9183f61dceed2a1ab19bdc6e24
SHA1646b9ff4af148516577fc185b6d6c987d91b88a5
SHA2561819fe2c63d3cc1f56ad3a4b0806e2dd0aa747e9e03ddec3bcb21e78dbd14d55
SHA512c078a88d5226a4ff5425bdb92c3190b3b36fc6af34b876c6db273207c8999d5c1036a8abadb2d630dbe4183301628a9d7ac49eb2586e8804f08e8a3995be8f07
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
1KB
MD55772429ccc0bed603acd01dfefe03c32
SHA1e91b4b1656373eb24c954aa518d2ae42af61299a
SHA25664538fa06bd1ec8ed6a764bd50101473311af527fa0ed9bcef9ce5a7ce740eaa
SHA512bd18570e660c783b000b1656d62387b5af2dfd5014cbe77f347388532f50972a5fe0e18c6727602a5366cc566ff436c92cb87dc2ab90cde882195fd79ecedf75
-
Filesize
2KB
MD52bda3f4f3393b251a5ef3c2208e42141
SHA12ce8a7022e01aaf3d07407f2a7f93c2fc3c80538
SHA2563a5708d4e004b6b10c71d95d04f162117b034987114d5f1e17e00e25823e09ea
SHA512ceaa8a6da48a9c95079f43ddf97236c3059842de4b5839a189cbda7852b27fa2acb1cff9835e5412157e4864101e3ba49321b8df07541835d48047c133c239b5
-
Filesize
2KB
MD51e45e6d49d7f6e37a7b6da9be953b7e8
SHA1794f192e90e431838ffa5d06d220f74b2f8cc7e9
SHA2567f61421b4798822f08743b1603c3c6ea655d06d2b8176a23cf877af80fa89349
SHA5128cc4b4c9a55bf4981a6d0973dcc563315dfea95f2b10a1d20c2d407ef8466fa761acd670c05a598c0565fffb1c5abcfe1391e135257798cc598583b1bce119ca
-
Filesize
2KB
MD583a1de2092097f94f74765badf0521b4
SHA1c91ee5ca89bb107f60c0b25bab1679d9ce696c03
SHA25622b267c05e7cea1ce56cc9a95c6025759faa06b2512fab0886e38bf8af853c2c
SHA512f2b79222535c5d86435a48147d40ea2331a378d9fb4e736468922765a5e7f002735e774f935a8954783c7f156cc0393f8e38d7e54d8c3929c99cd3bb60881ef9
-
Filesize
2KB
MD5f361c9c6277a8efeaaffd3b3151d6899
SHA1c93c18f0b06fa884c6efca0c5dc6b37973eaf887
SHA2562549b21a295668a33f5ee20e331814d1cafefd8714bdb43edd4435be3d959444
SHA512e181e8591e1b995f348a907418686ee13d58fd7a44fcf611eee7d215e59e88cd4ac4ec5f295dd1eb7084e1406d93285886f39f64e72009d35c46c1976b76fb11
-
Filesize
2KB
MD53eb9e7d8e4886dec6d51a87d90f79f13
SHA1aff01fc9a5a27ac00137ba47db946fbaf676b7f0
SHA25665f1e757b3c8e6f2f3900862a457a456acdf6211a14ccf155f0d72efb3db3256
SHA5122b6c4f4714e63fba60849828d459845d3d1af7873c0b689fcc14f948009939bb1d5ac88d5affea6d8364b5de17c8b45c1a16ca25d99934d5dc0bce4d21d1e449
-
Filesize
59B
MD5509b80669ec8fea446be1ff534492b7c
SHA1d2f30684a8cf3df28c5d348c54a5917658e65ee9
SHA25636b7ef263e9ad90cc78779da00341343f179bc3c63bf7c5776c13f5469d850d1
SHA5124652efb4b8633ffeaaac784696b75b9a3dbb811373764e34c073c21b03a64d061c193938bdb2cf565cc9f59660c2b540c7cece94d61d7b6292e7edef35b88df7
-
Filesize
317B
MD55eb4f9aa9c1814c5872ce6ec24a2fa8a
SHA15dd081a74704b81b48c5f8be82044a75cb99d1b4
SHA256216578bc0d2025d96bfe7074adc1a4f1be4fae0fdb0e36eb7e50fc905624cf07
SHA512f54d61faa9749ef65085aedec915ae34823bea0f7c6fa670c1ba534e915aa275d9d48c6f34a91011b5b4ffee01140088a39d398a9c8d3ce1e29de379f566dc3c
-
Filesize
32B
MD59de92b314e476fce3374a6cfa8750547
SHA1e440234e4ba68a5305867225ca8effe7668eda38
SHA256722f593bc99a24926fea364dcb008201ecb449ff3abc0cd499c7ae54ad41c03d
SHA512edb7dc9a55b2dbb8ca84aff479bdd906e65d7ca370106487a711b628f00a7a8c0667dae01c9190d9873fb9faabcd1be068f72428fd212674c81b241fa6357cf6
-
Filesize
1KB
MD512a37509ce8c98eca61b23b49cbdcf97
SHA17c4d731e45121690f52cbb7367733af53b8e6076
SHA256c6a44b8a0e62d5fafb0a2843ff35325bce893b9687330b26cf97eb96d2ae1ac2
SHA512ee33b4a8a86de4a71640b27656b83ecedd9649c086d5bc1f67c671e6605e7c83036ada6dd6f8c6ef3b512de256378e258ceea4aa893c91d572eeb8b9abe3e147
-
Filesize
1024KB
MD5c920545c3f09db05b073a340cf381111
SHA1dd4273dcc658ee199864ca380c580b5ab9f5d59a
SHA25647e77251dba577610bb44c7aa43e563fa8dfac918ed2991c47c891f9933b78fc
SHA51245f96ae04c5d93068c91ec27809a0187846d38210af1cb077a5e57bec6f488aff0ce055bc0666e12aced8d4ed4488bad7e1ed09e052a6d9d158d8a5b04f74f66
-
Filesize
7KB
MD5cdb220d9e42198d9f6bd73d1fc32aa62
SHA12fc56bb43d660bedab616150f1fc38dc5b43f2a4
SHA2567dfcfda5f0aac7b9651cdc9b090a8d6e4ff67d0ba489dc5457c960dae2ca3d49
SHA512011a6958e3523c6ef174448c5effa5be0e19d52dc92815fb6e97de4a66b770beeb8ee604a32b14b73d1ba6224a6436aa56e3023e8d255c9be2447a6e7d5db8ad
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD5aebbfb533812b2ec5a06d8b35196b3ca
SHA1364965c615f6b33637392fe82d798db3256d0fbf
SHA256c537fd6e5304547fec71ae2cf6ca0d1d215b91c50420a624d7f4cde806918eba
SHA51251cf1c24470d578d61290d53f7af4bc431c302558268ff200f60d30c8c06bcb700834e594fbd22dd6117937516da94a585149916cbc181ed3f58d2c997d3dcde
-
Filesize
940B
MD5d7c52d93a20705af45b6b6a8a178c5fb
SHA1046dc92d67924adce7ddedaa053083e085315836
SHA256e7b8d5dcdf6042853c936c61306bf76ea984107d5615ae7f482d03949d0c42ad
SHA512dfb63f13c2e0e1879ce2c17e729d6ab776a2f58f81ce66c74338e49912a465d972914b4daf8b7ef59040573255708572d16c71db8d488ceac84b07a27dc2d7c6
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
408KB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
960KB
-
Filesize
17.2MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
17.2MB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
17.2MB
-
Filesize
1.5MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
184KB
-
Filesize
344KB
-
Filesize
960KB
-
Filesize
17.2MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
