873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ghosty Permanent Spoofer/server/EmuAuth/EmuAuth.xml
Size

7KB
MD5

72dd431cf325ada32e9560ddb65a659e
SHA1

12e726f8f3c9721fcc18946c0908b17bf1f18997
SHA256

503307a798fd4b15280f619f66117b7d99887f9c159b1d90e540bdce6c5fe3d9
SHA512

83e35b1fec8ef8445f4c652becf207b3cff445b87c5b32761442a3d176c5e9de7e618626ef77e9b34cbf4b5cd8dfd1e23bff6e8cdbe43aaec7e9e90f7a6cfd5d
SSDEEP

96:Z0/zcpU1fNOw7FO7bw7aOL2YyaLbyaLMyaL6yaLDmzA7/ePPcrAf/eWPcKfA7/ep:e/zcmls4hN/YPce/JPct/gPcL/xPcn

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000090251bfad2fc5b47b008bea1bdf0692b00000000020000000000106600000001000020000000f2c7615e428a08321a5765a84c64e4329b1324abe506c7d04886c07155c6e43b000000000e8000000002000020000000a30a12c89a754e3697ec33afc79bd964ae26b22d758488c57df17ec161ddf1cb2000000031574f91419dd2875a4c894503d4c767c6533f7bb23a6cf8b3f65ffceb6506a0400000001c0cef5e23078da32367f9cc5a50eaf7766bb5e07f660a610a49de47a33ad376dfd716a6aad5543d0692e184ffd306901f13cc82a374f614ac81c03a12736ed5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000090251bfad2fc5b47b008bea1bdf0692b00000000020000000000106600000001000020000000b3fdbfefcc9e5df50f6e9e4c8fdbb44657c60c9766378a7addb7cad078f8b113000000000e8000000002000020000000fdf252c2d5c3837df6aebd4992118b43c5d2c8676fc5c7acd5b88d5eea63e2029000000060046d9d8ad8a6acee9390107dbf805b96fb37b2d072846c591875fa70c8d170dfc5f584fe71074a04ca3aa1af5f622c1ba43dc8e53105c0041cc422496403df4ef5fd55e3f54d2741ea1756bc85ca1c9db41793ab7c9a5de5218e0707bc498ca1ce2997740ed56377c337e34b25bd9c7afb8f13f2f1b29c40edd0062fc62516ec1d9c54a9f89bb139af0342b1d86a1840000000ac495f9d4423346a4527ad09b489b0476f07ee2016733df5178d89a70b2531fc30eda3cc176d1b02c66147e39d3501b35100e768e4d66cd70492be62907d54d3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442451003"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32ADE521-CD47-11EF-8DAE-C28ADB222BBA} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30202a075461db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2384	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2208	2760	MSOXMLED.EXE	30
PID 2760 wrote to memory of 2208	2760	MSOXMLED.EXE	30
PID 2760 wrote to memory of 2208	2760	MSOXMLED.EXE	30
PID 2760 wrote to memory of 2208	2760	MSOXMLED.EXE	30
PID 2208 wrote to memory of 2384	2208	iexplore.exe	31
PID 2208 wrote to memory of 2384	2208	iexplore.exe	31
PID 2208 wrote to memory of 2384	2208	iexplore.exe	31
PID 2208 wrote to memory of 2384	2208	iexplore.exe	31
PID 2384 wrote to memory of 2896	2384	IEXPLORE.EXE	32
PID 2384 wrote to memory of 2896	2384	IEXPLORE.EXE	32
PID 2384 wrote to memory of 2896	2384	IEXPLORE.EXE	32
PID 2384 wrote to memory of 2896	2384	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Ghosty Permanent Spoofer\server\EmuAuth\EmuAuth.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
957316860790de4a9621e93138132bbb

SHA1
e6825c28bef981f5b06d1d7495a699f3fea4e56a

SHA256
e4b1f023c73832fd5b913c67dfec025d8be23538f3e8d5d22f347275ee2c6b46

SHA512
6165ff9cac15cdded277c8cd22f93ab1acd4da61800dd51482b4a450c48900415634ebbb2076d5111fce7bf097ba9054964ed3f66cebe626f0254e0f460f91c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d04254ca064e4b9f90f3dac21ba175e

SHA1
e22bfec4b8c86afea49cc4c78fd71a5c4ec392c3

SHA256
6f05c61fd7b15112c4fafbae0d2501dd54c863820009f32b9a63f87b5fb76b44

SHA512
ebbba23717c27412602b1d5362047a45995542ec4e8113d1409a54130e1689f1f610752630cdde372ca72eaa5d0a1e3f9b6db5e057c18f786a6ccd2342af082c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
904eeb1607bc9bd131b9bef610dfbe17

SHA1
926df2416cba3132ba90da75124b7591f6be6337

SHA256
ce37fbedf8c9abe9c2795e04e32b303a92faf59d90cf61fdb61b3ba094ca2b2b

SHA512
0376b4803ae419c746681009a41c84492373624f995219b902f8882cd8222037a72b9ee69fa56556820a37b910248d2a675bbd8c0294756cea941f121930061d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d6700bb9921bd7b849f7d362a86519d

SHA1
2ec141f354ad2c5a5ffa76bbe6286e854c895eab

SHA256
8c073160197a158abcc70776ac50646384a1b26a9578dc0af7a51ff9a8e75aa1

SHA512
8a08147622a9f179b7718044984677c59185c0db3cd4671c864afdbdcc16612b52749d9f3eb656ef1a1683ba92721f7113e9100c0a9e4814695bcf3e451219cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea668582720a0dd315f3c6e368227265

SHA1
c89569a91eee0a061de8d5cfbe07e88c77966710

SHA256
ede052b4c240b4720d15fd040cd57fec5b828e2f04e26de9505be408eff15f60

SHA512
77c04dace98d3395c502956dd407372ba7780e228189f305ab0fc2182bea7a22f3399f6015705582cdc9550e0dcc695ceb652dba186a7346c4b62e83dbb0d6b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60dc9d4950f9c5bd38f3b56a22904b17

SHA1
4e27a132223450141c6c0a90c05439c0e59127e4

SHA256
9fd6de23e04a2254553ac2e0db227bc7d62c6454183c2b40c7eff791a8eda419

SHA512
be82a5d49a7387a7fb5d4ceba0f74ae9b7a5e2e7c7fe2937b875dc3461db91e3d13f706719bc0e359938ad5bddfd1ecc4be529ba89938290880908ed674e8d86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d663087c06ce1ff31ebbb150bb403351

SHA1
48e65801f1280cf9c51f4a8795b9cd71af135d83

SHA256
539f0a07521b938253767672619305edbae9ddf6a494e5e9cd30fea67c17a496

SHA512
1200ce45a29716b57276f0bf2361c46336561a96babd52c95ff0b220bdac1294a7997e363b0be7082ddf4785fa790d969108099dcdcf77a399b3194510dac6d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3861a721d0433cad06a3013314a17959

SHA1
6fb22196c04e9acc5adaa42b674909e8ba7d412c

SHA256
05cb12a5436181d1bab4548e0830f8152af3a1e502c64d34817ae69157cc9c78

SHA512
66f6e5c5b9412996f5671271147f5bde2f3328ed412dda35226bae3de1f94fee4cd6687c3adfec904590ad7b939d23727ff83286c2dd1c2acc0fa0a524c3a1d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86c01f0380682f1fa879dc491eefadc8

SHA1
b0815ac15aca45e21ad1f32c4ce8f2e1dc67c4ae

SHA256
7dab62af28993ad824c424b7dec69a9b7aa37daf858218766ff7fe6ec4741dfa

SHA512
f6989b016802f8e7516169f325c3f95f69d7722ac47287cfe7ada860b13ec0b5e734dfe90604de215c105d86217692fbb4210ff62ce989af084a38156889fe90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab64FB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar656D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit