Overview
overview
9Static
static
9Norton Gho...RR.txt
windows7-x64
1Norton Gho...RR.txt
windows10-2004-x64
1Norton Gho...32.exe
windows7-x64
6Norton Gho...32.exe
windows10-2004-x64
6Norton Gho...64.exe
windows7-x64
6Norton Gho...64.exe
windows10-2004-x64
6Norton Gho...xp.exe
windows7-x64
6Norton Gho...xp.exe
windows10-2004-x64
6Norton Gho...64.exe
windows7-x64
6Norton Gho...64.exe
windows10-2004-x64
6Norton Gho...32.dmp
windows7-x64
3Norton Gho...32.dmp
windows10-2004-x64
3Norton Gho...rn.txt
windows7-x64
1Norton Gho...rn.txt
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 16:26
Behavioral task
behavioral1
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/GHOSTERR.txt
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/GHOSTERR.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghost32.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghost32.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghost64.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghost64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghostexp.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghostexp.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghostexp64.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/Ghostexp64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/ghost32.dmp
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/ghost32.dmp
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/ghstwarn.txt
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/ghstwarn.txt
Resource
win10v2004-20240802-en
General
-
Target
Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/ghost32.dmp
-
Size
37KB
-
MD5
1e65f742f373d8b5c44c6f2bc6969feb
-
SHA1
aa9fa87f556a84ecdcfcd606e886137d6f799a02
-
SHA256
ef9f89dc751847e49270fc64c1aff174aa78771215e17b98352ae34fa66e4c2d
-
SHA512
36f1e74b9bacc42f979970f115af788b0efed73e02948b92c2e3bd9be9e7449b247d0b9ec66df068e1314fad8d1f9909c7097dc125f64d84d399d45b06f6d590
-
SSDEEP
384:+T8+e1Mm5lLIO9QQbEePCH4ySZw5zSX7570sbga5pHB1xyj60tcu81:+T8n5lEOjCHkeCIRKpD8j60ti1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.dmp rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.dmp\ = "dmp_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 3024 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 3024 AcroRd32.exe 3024 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1800 wrote to memory of 1892 1800 cmd.exe rundll32.exe PID 1800 wrote to memory of 1892 1800 cmd.exe rundll32.exe PID 1800 wrote to memory of 1892 1800 cmd.exe rundll32.exe PID 1892 wrote to memory of 3024 1892 rundll32.exe AcroRd32.exe PID 1892 wrote to memory of 3024 1892 rundll32.exe AcroRd32.exe PID 1892 wrote to memory of 3024 1892 rundll32.exe AcroRd32.exe PID 1892 wrote to memory of 3024 1892 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51db3fd5b7fe32d377297c141c0cfbae4
SHA1032cb17d8f9aa60fb65f100a002962eb9e908c1f
SHA2562d2159b32f7ef96c6170e08eca6b14eb2c22ddd4a997a4adf4779eb15b336c49
SHA5122693b5baf40690ca3b2b2f72816932f447b783d8497c55af45ff7a384c5fd5a9f6ff87c3e996a71093c19781e5892bd2e6014524c69b5bbbfabbae937fa30865