File name:

Ghost32+64.exe

Full analysis: https://app.any.run/tasks/6966c382-64e8-46de-99df-a3c10aac6520
Verdict: Malicious activity
Analysis date: October 21, 2023, 00:02:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

8C2E5F2ABAB4226A67FFA2A427F83778

SHA1:

C89E97233994353D72C04CA8CB39C59C32603CAB

SHA256:

632E9012576EB6034197E8DFE5E4F068FCC749DED8602A5037E985A6470C6CF1

SSDEEP:

98304:Vm4tNqStfmTHiDxh+k1KOsMqLrK/3pQC6fO5iBxIHlfHzVEKQwlpdyzj6dh85uRp:BfGedeXk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Ghost32+64.exe (PID: 3352)

    • Application was dropped or rewritten from another process

      • ghost32.exe (PID: 3284)

  • SUSPICIOUS

    • Application launched itself

      • Ghost32+64.exe (PID: 3352)

    • Reads the Internet Settings

      • Ghost32+64.exe (PID: 2480)

    • Executing commands from a ".bat" file

      • Ghost32+64.exe (PID: 2480)

    • Starts CMD.EXE for commands execution

      • Ghost32+64.exe (PID: 2480)

  • INFO

    • Create files in a temporary directory

      • Ghost32+64.exe (PID: 3352)

    • Checks supported languages

      • Ghost32+64.exe (PID: 3352)
      • Ghost32+64.exe (PID: 2480)
      • ghost32.exe (PID: 3284)

    • Reads the computer name

      • ghost32.exe (PID: 3284)
      • Ghost32+64.exe (PID: 2480)

    • The executable file from the user directory is run by the CMD process

      • ghost32.exe (PID: 3284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:30 09:49:49+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 49152
InitializedDataSize: 16384
UninitializedDataSize: 86016
EntryPoint: 0x21e50
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 12.0.0.10520
ProductVersionNumber: 12.0.0.10520
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Symantec Corporation
FileDescription: Symantec Ghost
FileVersion: 12.0.0.10520
InternalName: Ghost64
LegalCopyright: Copyright (C) 2017 Symantec Corporation. All rights reserved.
OriginalFileName: Ghost64.exe
ProductName: Symantec Ghost
ProductVersion: 12.0.0.10520
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start ghost32+64.exe ghost32+64.exe no specs cmd.exe no specs ghost32.exe no specs ghost32+64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Users\admin\AppData\Local\Temp\Ghost32+64.exe" C:\Users\admin\AppData\Local\Temp\Ghost32+64.exeexplorer.exe
User:
admin
Company:
Symantec Corporation
Integrity Level:
MEDIUM
Description:
Symantec Ghost
Exit code:
3221226540
Version:
12.0.0.10520
Modules
Images
c:\users\admin\appdata\local\temp\ghost32+64.exe
c:\windows\system32\ntdll.dll
1632C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ghost.bat" "C:\Windows\System32\cmd.exeGhost32+64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
2480"C:\Users\admin\AppData\Local\Temp\Ghost32+64.exe" -sfxwaitall:1 "ghost.bat" C:\Users\admin\AppData\Local\Temp\Ghost32+64.exeGhost32+64.exe
User:
admin
Company:
Symantec Corporation
Integrity Level:
HIGH
Description:
Symantec Ghost
Exit code:
0
Version:
12.0.0.10520
Modules
Images
c:\users\admin\appdata\local\temp\ghost32+64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3284Ghost32.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ghost32.execmd.exe
User:
admin
Company:
Symantec Corporation
Integrity Level:
HIGH
Description:
Symantec Ghost
Exit code:
0
Version:
12.0.0.10520
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\ghost32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\lpk.dll
3352"C:\Users\admin\AppData\Local\Temp\Ghost32+64.exe" C:\Users\admin\AppData\Local\Temp\Ghost32+64.exe
explorer.exe
User:
admin
Company:
Symantec Corporation
Integrity Level:
HIGH
Description:
Symantec Ghost
Exit code:
0
Version:
12.0.0.10520
Modules
Images
c:\users\admin\appdata\local\temp\ghost32+64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\user32.dll
Total events
1 366
Read events
1 358
Write events
8
Delete events
0

Modification events

(PID) Process:(2480) Ghost32+64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2480) Ghost32+64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2480) Ghost32+64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2480) Ghost32+64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3352Ghost32+64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ghost.battext
MD5:4A7A4D0BFCB9C09113C1AF449F028AED
SHA256:FF3D8C720332E1A80FBF1C68CF6084F3DAD5059F656593B583B9B0B365C18E81
3352Ghost32+64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Ghost64.exeexecutable
MD5:A54EEBA01E811FE1C5302D74527BE2D8
SHA256:B5B240B47E377AF09EE1AB30AE7EFA43AE808EA03E7DED028F63DFD9C6972C25
3352Ghost32+64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ghost32.exeexecutable
MD5:09AA2315B5DD90CA0520BED96997B5D4
SHA256:7EF09F5436CF66C491AFE2F5F09D930B1EFB0C238B6EB9A30D685E1D0F030858
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
2656
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Ghost32+64.exe