Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Ghost+Stealer.zip
windows7-x64
1Ghost+Stealer.zip
windows10-2004-x64
1Ghost Stea...xe.xml
windows7-x64
3Ghost Stea...xe.xml
windows10-2004-x64
1Ghost Stea...er.pdb
windows7-x64
3Ghost Stea...er.pdb
windows10-2004-x64
3Ghost Stea...st.exe
windows7-x64
1Ghost Stea...st.exe
windows10-2004-x64
6Ghost Stea...st.exe
windows7-x64
10Ghost Stea...st.exe
windows10-2004-x64
10Ghost Stea...ib.dll
windows7-x64
1Ghost Stea...ib.dll
windows10-2004-x64
1Ghost Stea...ub.exe
windows7-x64
3Ghost Stea...ub.exe
windows10-2004-x64
10Ghost Stea...config
windows7-x64
3Ghost Stea...config
windows10-2004-x64
3Analysis
-
max time kernel
34s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 03:42
Behavioral task
behavioral1
Sample
Ghost+Stealer.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Ghost+Stealer.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Ghost Stealer/Ghost.builder.exe.xml
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Ghost Stealer/Ghost.builder.exe.xml
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Ghost Stealer/Ghost.builder.pdb
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Ghost Stealer/Ghost.builder.pdb
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Ghost Stealer/Ghost.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
Ghost Stealer/Ghost.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Ghost Stealer/Ghost.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
Ghost Stealer/Ghost.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Ghost Stealer/ResourceLib.dll
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Ghost Stealer/ResourceLib.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Ghost Stealer/Stub/stub.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Ghost Stealer/Stub/stub.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Ghost Stealer/Stub/stub.exe.config
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
Ghost Stealer/Stub/stub.exe.config
Resource
win10v2004-20240802-en
General
-
Target
Ghost Stealer/Ghost.builder.pdb
-
Size
113KB
-
MD5
9923a8c48c0375680cd8f34fb9a6b8d0
-
SHA1
d1e8cf4fbfa19bf86e3877a641e8e3f2582d95c6
-
SHA256
58f1ca3f7165b0688db2cbf2ec91c0df5dacb43ee03fcd9ddd2a500d162e6899
-
SHA512
ac0222ec40f5fc62007314ef5e387a0c60743305b50b43d34c56eaad8fbe9210847206067f7ea0f5eede0be6dd5a0729ce4477fa367557b10b5017c721222c04
-
SSDEEP
1536:1QAYHXpGuF9AVm6XDAUpT+tq91M/ihARY+C3QA:uHBF9AdTAU8AhARY
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pdb rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pdb_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pdb\ = "pdb_auto_file" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2368 AcroRd32.exe 2368 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1976 1700 cmd.exe 31 PID 1700 wrote to memory of 1976 1700 cmd.exe 31 PID 1700 wrote to memory of 1976 1700 cmd.exe 31 PID 1976 wrote to memory of 2368 1976 rundll32.exe 32 PID 1976 wrote to memory of 2368 1976 rundll32.exe 32 PID 1976 wrote to memory of 2368 1976 rundll32.exe 32 PID 1976 wrote to memory of 2368 1976 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.builder.pdb"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.builder.pdb2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ghost Stealer\Ghost.builder.pdb"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5aca3ff2c94991e80f95fd9641e084495
SHA199df2813e2d189752284861748f0c38c0b99906a
SHA2561d539b84c24a25a850a324fba179109ce3afc2ec534a9412b06b925b581db9c9
SHA5127533faa10f7c4d33f5d97d3e04f1a0b675a7200969831cd5687e2c5170f3d3d3decc5150b00f84a0c68bb70a0dd63b2e14488cb3de34e83c41c445ca0ca0be50