Analysis Overview
SHA256
627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9
Threat Level: Shows suspicious behavior
The file 627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:19
Reported
2024-06-03 22:21
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE" | C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe" | C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr" | C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe
"C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\AVSCANNER.EXE
| MD5 | a9d9529cdae02e21bcfafbf97f333b2c |
| SHA1 | b5e91d7a1eaf5819bd31cee114fa26b6abbcf11a |
| SHA256 | a01a1ffacbbd3df8736597fb9081650d457e4b512987efc3aaed0c3c15270d20 |
| SHA512 | f6619ea02343de8acd53efee9e87ebcb13555d6918ec4af5c4044c5a28f6b9bc1d2a422a782f7fa1602cddfbc82e904600d6df48a6e3a3be603036f97d75b050 |
memory/4328-6-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4328-7-0x0000000000400000-0x000000000044C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:19
Reported
2024-06-03 22:21
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe" | C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr" | C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE" | C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe
"C:\Users\Admin\AppData\Local\Temp\627b2676710ca6c05b23aa26dafb50defc14984cdcd14fb05d1e920a39eec4c9.exe"
Network
Files
memory/2452-0-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Windows\SysWOW64\AVSCANNER.EXE
| MD5 | 7ef7ac2950c3559f3465c5318f441040 |
| SHA1 | 83aa2c3adc491cfdd687a2b10749b3a41d1f44d8 |
| SHA256 | 8f4180e49a6c96e1e98358ddfa0304c9b6c343b3d288acd833b6ed7938b17db2 |
| SHA512 | a3698c9f42ee575ec2d436b7c0d75938be8bba1913a5d91204f15b9ea78aa423e4a835df43c67d1fab5b74bf6152386baf06075c546758b3bccab3cdba817fd7 |
memory/2452-7-0x0000000000400000-0x000000000044C000-memory.dmp