Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 16:26

General

  • Target

    Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]/ghost32.dmp

  • Size

    37KB

  • MD5

    1e65f742f373d8b5c44c6f2bc6969feb

  • SHA1

    aa9fa87f556a84ecdcfcd606e886137d6f799a02

  • SHA256

    ef9f89dc751847e49270fc64c1aff174aa78771215e17b98352ae34fa66e4c2d

  • SHA512

    36f1e74b9bacc42f979970f115af788b0efed73e02948b92c2e3bd9be9e7449b247d0b9ec66df068e1314fad8d1f9909c7097dc125f64d84d399d45b06f6d590

  • SSDEEP

    384:+T8+e1Mm5lLIO9QQbEePCH4ySZw5zSX7570sbga5pHB1xyj60tcu81:+T8n5lEOjCHkeCIRKpD8j60ti1

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    1db3fd5b7fe32d377297c141c0cfbae4

    SHA1

    032cb17d8f9aa60fb65f100a002962eb9e908c1f

    SHA256

    2d2159b32f7ef96c6170e08eca6b14eb2c22ddd4a997a4adf4779eb15b336c49

    SHA512

    2693b5baf40690ca3b2b2f72816932f447b783d8497c55af45ff7a384c5fd5a9f6ff87c3e996a71093c19781e5892bd2e6014524c69b5bbbfabbae937fa30865