0e35ef8626c0150e10b071a802146a372380cc7d02b156bebc0122c45b913ef3

Analysis

max time kernel
19s
max time network
18s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
Size

733KB
MD5

364964d8e11f3d73a5bced11bd8fa100
SHA1

910197fe279b0d66f52f57732fceca15b5e88fda
SHA256

0e35ef8626c0150e10b071a802146a372380cc7d02b156bebc0122c45b913ef3
SHA512

e5c3f01485976bb92ecf87a2777b8a36f0c12c5049321090cac43d44f808235f969dc7474564af329004325afcac475896e77cf86e4e62735c8ef0be55331b24
SSDEEP

3072:MGjhaq5iL0beJQZt32wLji5DlsODxRPNDkjJHzW9hUd56JsuBSjwA2i1vP2i1a1b:Hha8iAx+1zwjJHd6vB/ANMfwwfm

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe"	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr"	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE"	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AVSCANNER.EXE	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
File created	C:\Windows\SysWOW64\GAAG.exe	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
File opened for modification	C:\Windows\SysWOW64\GAAG.exe	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
File created	C:\Windows\SysWOW64\FifefoxUpdater.scr	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
File opened for modification	C:\Windows\SysWOW64\FifefoxUpdater.scr	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
File created	C:\Windows\SysWOW64\AVSCANNER.EXE	NEAS.364964d8e11f3d73a5bced11bd8fa100.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.364964d8e11f3d73a5bced11bd8fa100.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.364964d8e11f3d73a5bced11bd8fa100.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AVSCANNER.EXE

Filesize
743KB

MD5
d6af25330c073c5dec92ddbd3dcbae21

SHA1
69d5316f2ddd83a3e26b8a18a56ae67718e31e46

SHA256
3f009332e523dae3dd6e578d066c3c917256c3c83623acb63afb2a05d9e040d1

SHA512
c2cb5cd426c835811f7ef81736eb0152e28e8dde7bc74041d8c8cfdf7a9a95a3d97e33ac356dfddc9fe1012728e410f52179de634338d90acfe023cf0c5684d5

Download Submit
memory/2776-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2776-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads