Analysis Overview
SHA256
2834a96c7b3f15e3d22b8f3b507874a6c281592096023c3ff28bc5ec3f0e4286
Threat Level: Likely malicious
The file ghost.zip was found to be: Likely malicious.
Malicious Activity Summary
CryptOne packer
Maps connected drives based on registry
Enumerates connected drives
Writes to the Master Boot Record (MBR)
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-04 16:26
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghstwarn.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\GHOSTERR.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
130s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win7-20240903-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3928,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
138s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win7-20240903-en
Max time kernel
81s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\GHOSTERR.txt"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
129s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghost64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win7-20240903-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe
"C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\Ghostexp64.exe"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.dmp | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.dmp\ = "dmp_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\dmp_auto_file | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1800 wrote to memory of 1892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1800 wrote to memory of 1892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1800 wrote to memory of 1892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1892 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1892 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1892 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1892 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghost32.dmp"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 1db3fd5b7fe32d377297c141c0cfbae4 |
| SHA1 | 032cb17d8f9aa60fb65f100a002962eb9e908c1f |
| SHA256 | 2d2159b32f7ef96c6170e08eca6b14eb2c22ddd4a997a4adf4779eb15b336c49 |
| SHA512 | 2693b5baf40690ca3b2b2f72816932f447b783d8497c55af45ff7a384c5fd5a9f6ff87c3e996a71093c19781e5892bd2e6014524c69b5bbbfabbae937fa30865 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-09-04 16:26
Reported
2024-09-04 16:29
Platform
win7-20240903-en
Max time kernel
10s
Max time network
15s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Norton Ghost 12 + Ghost Explorer 2013 (x32-x64) Portable [ENDO]\ghstwarn.txt"