7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c

Analysis

max time kernel
41s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
Size

1.0MB
MD5

07fed12bfd9166a4f965f848c7172b04
SHA1

ebb25569a8ed53fc803ad6da6e25d06765340c38
SHA256

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c
SHA512

40da6d529abd89d380957635afadecf932c8bb12dd08ce83d53ff5f0b6bee52949f0aad7afc7eea5730b920d0fb55e4e57ab34db09aed36663eacd3684502327

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Avvelenate.exe.comAvvelenate.exe.com

pid process

1532 Avvelenate.exe.com
908 Avvelenate.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeAvvelenate.exe.com

pid process

1688 cmd.exe
1532 Avvelenate.exe.com

pid	process
1532	Avvelenate.exe.com
908	Avvelenate.exe.com

pid	process
1688	cmd.exe
1532	Avvelenate.exe.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1708 PING.EXE

pid	process
1708	PING.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.execmd.execmd.exeAvvelenate.exe.com

description	pid	process	target process
PID 1376 wrote to memory of 1792	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	dllhost.exe
PID 1376 wrote to memory of 1792	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	dllhost.exe
PID 1376 wrote to memory of 1792	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	dllhost.exe
PID 1376 wrote to memory of 1792	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	dllhost.exe
PID 1376 wrote to memory of 1004	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	cmd.exe
PID 1376 wrote to memory of 1004	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	cmd.exe
PID 1376 wrote to memory of 1004	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	cmd.exe
PID 1376 wrote to memory of 1004	1376	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	cmd.exe
PID 1004 wrote to memory of 1688	1004	cmd.exe	cmd.exe
PID 1004 wrote to memory of 1688	1004	cmd.exe	cmd.exe
PID 1004 wrote to memory of 1688	1004	cmd.exe	cmd.exe
PID 1004 wrote to memory of 1688	1004	cmd.exe	cmd.exe
PID 1688 wrote to memory of 1696	1688	cmd.exe	findstr.exe
PID 1688 wrote to memory of 1696	1688	cmd.exe	findstr.exe
PID 1688 wrote to memory of 1696	1688	cmd.exe	findstr.exe
PID 1688 wrote to memory of 1696	1688	cmd.exe	findstr.exe
PID 1688 wrote to memory of 1532	1688	cmd.exe	Avvelenate.exe.com
PID 1688 wrote to memory of 1532	1688	cmd.exe	Avvelenate.exe.com
PID 1688 wrote to memory of 1532	1688	cmd.exe	Avvelenate.exe.com
PID 1688 wrote to memory of 1532	1688	cmd.exe	Avvelenate.exe.com
PID 1688 wrote to memory of 1708	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1708	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1708	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 1708	1688	cmd.exe	PING.EXE
PID 1532 wrote to memory of 908	1532	Avvelenate.exe.com	Avvelenate.exe.com
PID 1532 wrote to memory of 908	1532	Avvelenate.exe.com	Avvelenate.exe.com
PID 1532 wrote to memory of 908	1532	Avvelenate.exe.com	Avvelenate.exe.com
PID 1532 wrote to memory of 908	1532	Avvelenate.exe.com	Avvelenate.exe.com

C:\Users\Admin\AppData\Local\Temp\7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
"C:\Users\Admin\AppData\Local\Temp\7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Duro.vsd
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^LvDSVhyXjXdxKsRHmQvASKarhdehXjwxbouoVnxzwwTxiJmlXpXSysjwrmEElSZZWWXBkJLqcenRQYVERSfNgp$" Davanzale.vsd
4⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Avvelenate.exe.com P
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com P
5⤵
- Executes dropped EXE
PID:908

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Camminato.vsd
Filesize
979KB

MD5
8874ddc6b24b0d3211ee079df83804ac

SHA1
22fb5ec6949dc1cdc3a3e12219020149d0de33ab

SHA256
50b29ff59bf772f8939344f0615a8a03085054e946dbf355d412fef6068322ed

SHA512
e613fdb1b937394217ef2344e3102998a35cea7554799b649567ef4c5cd4f71214a6a15adfaf0ca25b6acab0d5480b3fd8354d684d2921de975384acd824050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Davanzale.vsd
Filesize
872KB

MD5
bc96e3ac0ca0083a6dce5f2d3f282ccf

SHA1
c7e60f1e50184905bd3f6fd0680304f419be8262

SHA256
e76fef7267e9b6d9a63bf961c41a70d9e829e92a902316ebcabb277c0ecc0041

SHA512
1f4693d3b872dd42e1b3752701b80c71874292da23af121cab3c9e72e1afd981c7f2a718d7c368e2a030f0e3073eef4c15d7efac17a9184c5488ad6d6a0594c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Duro.vsd
Filesize
431B

MD5
6ce8586a7266d40430db0b133184c4d9

SHA1
2149fb62da20eb38e460a720c59c42a6359c0111

SHA256
d3a07b281b31e04c33d6e2365ca244fc34b6d30230e9fc6d4bb8c98604944364

SHA512
4afc88e6c3a57cc6e93b1e8456b91c9114b51e1dc60cdfbc71e0b843437ec7e881f3d7977198178982c3166bfa49450a649e854d5269734e752f62f77aacf8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P
Filesize
979KB

MD5
8874ddc6b24b0d3211ee079df83804ac

SHA1
22fb5ec6949dc1cdc3a3e12219020149d0de33ab

SHA256
50b29ff59bf772f8939344f0615a8a03085054e946dbf355d412fef6068322ed

SHA512
e613fdb1b937394217ef2344e3102998a35cea7554799b649567ef4c5cd4f71214a6a15adfaf0ca25b6acab0d5480b3fd8354d684d2921de975384acd824050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Saluta.vsd
Filesize
113KB

MD5
0d982eb51849e466dbdc6867c83f9f71

SHA1
6bc7762faa8f1007d54723ac9e99afa2fa8d953e

SHA256
fdb58f71a713f7a9351278c8192d21faa9776c200dbddfeefcb0cee89bc441e9

SHA512
16afc9d59dfe39e7cf7c8a5b0d1888deb719c8bb9752793990887bb12f1533803adb1e03a009ef37d9620c82a833ed7f34a84b63a486879b64b972b820745a14

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/908-69-0x0000000000000000-mapping.dmp

Download
memory/1004-55-0x0000000000000000-mapping.dmp

Download
memory/1532-62-0x0000000000000000-mapping.dmp

Download
memory/1532-65-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1688-57-0x0000000000000000-mapping.dmp

Download
memory/1696-58-0x0000000000000000-mapping.dmp

Download
memory/1708-64-0x0000000000000000-mapping.dmp

Download
memory/1792-54-0x0000000000000000-mapping.dmp

Download