36967332692db5751e9b96db2d737386c6d6e76eb550ea53bf6cfac43b86cc38

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 05:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
Size

811KB
MD5

ef6afdb4c633e95264c5c89d92525b70
SHA1

6d7a73f6c57933ec84a6fcd6b5b42f3c0808b41b
SHA256

36967332692db5751e9b96db2d737386c6d6e76eb550ea53bf6cfac43b86cc38
SHA512

05715a69a68a6c45785b99fdd9e0c9a0a36640238f0055643f47c0d746608206df18e66495a65e04bcf2a55e9a05ac667ce483e492da714a185e1478e817a4db
SSDEEP

3072:MGjhaq5iL0beJQZt32wLji5DlsODxRPNDkjJHzW9hUd56JsuBSjwA2i1vP2i1a1v:Hha8iAx+1zwjJHd6vB/ANMBIXWp

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe"	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr"	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE"	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AVSCANNER.EXE	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
File created	C:\Windows\SysWOW64\GAAG.exe	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
File opened for modification	C:\Windows\SysWOW64\GAAG.exe	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
File created	C:\Windows\SysWOW64\FifefoxUpdater.scr	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
File opened for modification	C:\Windows\SysWOW64\FifefoxUpdater.scr	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
File created	C:\Windows\SysWOW64\AVSCANNER.EXE	NEAS.ef6afdb4c633e95264c5c89d92525b70.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ef6afdb4c633e95264c5c89d92525b70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ef6afdb4c633e95264c5c89d92525b70.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AVSCANNER.EXE

Filesize
821KB

MD5
5086e32c9cb74b72e0f62657cf6d36c8

SHA1
ae011483f1d999850587283eb698bea8a66bc911

SHA256
3525671ad2f88563f5793ba2d4b5eeef1245cb5159a0bcad2749a95bc9fc8ab9

SHA512
a5795b331c29313055ff8c7d96b0837d5a252e315412097eb0a61106153c53593f073b234c0115b38b720b40af61b9e8d9b945d85b5576e71eb451e6a88d44e0

Download Submit
memory/3148-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3148-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads