a82a7c6e13973d6eb19590657f3c0a671a0ebce4bff602343e36784b4463fbce

Resubmissions

10/03/2023, 16:45

230310-t9mjfagd3x 1

10/03/2023, 16:40

230310-t6sw2see82 1

Analysis

max time kernel
52s
max time network
63s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10/03/2023, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avalon Tweaking Utility.exe
Size

1.9MB
MD5

6653de7906f7f43959bd08432501a631
SHA1

9edfbba238d6e6c111dd1bfc9f836f66da305c96
SHA256

a82a7c6e13973d6eb19590657f3c0a671a0ebce4bff602343e36784b4463fbce
SHA512

8184b3c8c739516c5c1cd818f686a65152b33dfda9a74bf59822e03951f5c1ce71f86705cbd7349cc5fc4fb97b9f9028ec4db1b9b96e4932b160a695637bb0ec
SSDEEP

49152:zt3UigFnlBIpExvhzbcO6qE2NybMHfIaR:ztEi6lBIpExOO6qE0h/Ie

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1432	timeout.exe
776	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2264	Avalon Tweaking Utility.exe
2264	Avalon Tweaking Utility.exe
4152	Avalon Tweaking Utility.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	Avalon Tweaking Utility.exe
Token: SeDebugPrivilege	4152	Avalon Tweaking Utility.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4536	2264	Avalon Tweaking Utility.exe	66
PID 2264 wrote to memory of 4536	2264	Avalon Tweaking Utility.exe	66
PID 4536 wrote to memory of 2848	4536	cmd.exe	68
PID 4536 wrote to memory of 2848	4536	cmd.exe	68
PID 2848 wrote to memory of 1432	2848	cmd.exe	70
PID 2848 wrote to memory of 1432	2848	cmd.exe	70
PID 4152 wrote to memory of 2068	4152	Avalon Tweaking Utility.exe	75
PID 4152 wrote to memory of 2068	4152	Avalon Tweaking Utility.exe	75
PID 2068 wrote to memory of 3236	2068	cmd.exe	77
PID 2068 wrote to memory of 3236	2068	cmd.exe	77
PID 3236 wrote to memory of 776	3236	cmd.exe	79
PID 3236 wrote to memory of 776	3236	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\Avalon Tweaking Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Avalon Tweaking Utility.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\Avalon Tweaking Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Avalon Tweaking Utility.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d2c2f4621f61981fa0927366f8ff994f

SHA1
c27424a4f09bd6cb715c920bce5e454dfd7cee10

SHA256
f7a3106704869762005b691886f8a3f9165edf992060cf2a2f62c4d929438082

SHA512
fbee109ff7939d22ecdb604d6cd79e7051acdf7eb5cbb09fb2722d67b63a3eb15ddc7d1b2438544b5c1a7b1c5636ffccccb786af76c5b939f6fbe94ed2769369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
7ccf2c2073ee67b21f41e466ddb5d99d

SHA1
5b23ff623f53ed72d46b664ea65a18ad4cb68bdd

SHA256
c8404b71057d65d1783a31dd5017e060d2501abc14627137af7fd12dbf4e5f81

SHA512
c8dcf8fb504114615186c3a2df85c8c9b9dc13eeb178644c558d4816c046a2e4901c8b86a39c33d0cd5b7b0579fd01435145368b374c0ef916271c404720af74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_D56FD3721C485C5804F4F5FAAF957FEF

Filesize
280B

MD5
08f4dc4f93b914c9889fd7aa5a4fa203

SHA1
5489effed0e9898a6f35900bf84fdf2c3e62260d

SHA256
e84aa9c0240649a3268d0411eed7280aecdd6915d6ebbe964fa152557df2c608

SHA512
627926cd484a23bec0dc1c3df6d2fa64d2d77dcd6c6305e28236be4eec679b6f7b56a0aa18a8a5155f6fac9f4db2decd90e49fe6856b75f0d33c80dd93229bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_724DFBA1CAEDEE0611D7EB4AB3BE904A

Filesize
471B

MD5
39f90c1db3b4bf8a85c332caff2996f5

SHA1
c1f6ea6da9b0357f7231eb4df6d9e2dd549eb7d0

SHA256
2961fa51065c1ba3b717955d97e550a11118ed8a5d0cd7eaa43962e0d7e862ec

SHA512
b9330bc95628bfcfcd91822709a1e845959308207c21e6bbdd656c0063fee2f46c64927cb26190695843aa1575ee5ff562db545c0a7ac2fe32edeb3f611902fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
bee94c7bdaab8c7660f5d83cb20dac78

SHA1
8e8f22cad005a5dd6cc2f7079221a46a6b135553

SHA256
d3acceac4a1cfccc6d7e3e10cd0ebe18f006f95ac70f74be6e6900ade722a468

SHA512
24cece354a4425af9ecdb120754cdaf9cc5db154b99b100c9281463bd1a514b9b1735dfa770f494feca58d0e0a8f34c0b621864a3f0d75d1d87d87c8196dd996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
e83503aad3e0ceeffc6f77b533560acc

SHA1
2fc297a65b5c3538b8fcef5c91fda1a29a9f12e9

SHA256
dc58a38c42b5eeb25d6302960168b5f89f13c28985c8ab8a85b0b5a5eed75e56

SHA512
3f9b19b85118737a2bf7abc5063af748e7d757d6d38bf5fa3481164ef2bfbf75fe311752fc433b7382727d845f1b4b95dd76d23e75d9e2a2ea6661639351504a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_D56FD3721C485C5804F4F5FAAF957FEF

Filesize
426B

MD5
a38a7d174fa6b192f84cedc99c27019f

SHA1
66fd29fc1fd7c4071b887636836cee0354932611

SHA256
a7b903c600633cc736beb094ed4883f06688aa0ec854e10ceecf5bbcbc06c1ee

SHA512
65a2fb626e541dd7a213c6001cedb88a7996801545a31ae9e1c775efafd81cd1cc0e1ca129ae58cabe76b1ed86a25134b811f7201889f2d1c6373a51c85ab5a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
bb3b26cf89b4ab2bde880fc81d718e58

SHA1
8dd6571eb9da443095274ab6b608dda1283badfe

SHA256
d41db7f85261b87df40139596e43407fb501740871c1e1cc04adadc359cd3c3a

SHA512
9e3fbe7fad83ae8bb8689af97289d216ddae51838ee8a24224f2c69e06bf3f127cb08283b2fe41230fd3a72bcf6dfb123593dda6e6eb6e88f591d0f51da100f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_724DFBA1CAEDEE0611D7EB4AB3BE904A

Filesize
406B

MD5
b86cd8a01195db229b089ce610a52a23

SHA1
c940b349f4daac9c4d335101fb42a5f392d5d4fa

SHA256
0aade1dc442f0fa5d8400a0ecb518c5233d809106c818afa4f0511d3f9b8e4cc

SHA512
be903a3d202e1e2cba0f4b57a008e750a81f3cf2304c62e1150a585d9cea3f7fd600264492ac0eafaf38da807346c08445a9f11c193205bd1f82647c31f7c199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Avalon Tweaking Utility.exe.log

Filesize
2KB

MD5
19caa5b93422f51ca1a27ef901701944

SHA1
6bba34149ef453d27c5c2efc9dcfbdb990a7a235

SHA256
dd8aa4fa674e4e6972031d8b45cc10f2b10743537e0211cdeda1ac57b790e47d

SHA512
3dc7dee2785dfbd170451b5a680483136ac420c3f97e695e102a93104c1bb0b0a1a7ddca9301c011b7c0652907de7cc6916010f6288ef66d207669495469b417

Download Submit
memory/2264-138-0x000001D37CD30000-0x000001D37CD68000-memory.dmp

Filesize
224KB

Download
memory/2264-146-0x000001D37DBA0000-0x000001D37DBDE000-memory.dmp

Filesize
248KB

Download
memory/2264-139-0x000001D377720000-0x000001D377730000-memory.dmp

Filesize
64KB

Download
memory/2264-121-0x000001D35CE70000-0x000001D35D04E000-memory.dmp

Filesize
1.9MB

Download
memory/2264-137-0x000001D378E00000-0x000001D378E08000-memory.dmp

Filesize
32KB

Download
memory/2264-136-0x000001D377720000-0x000001D377730000-memory.dmp

Filesize
64KB

Download
memory/2264-135-0x000001D377720000-0x000001D377730000-memory.dmp

Filesize
64KB

Download
memory/2264-125-0x000001D377540000-0x000001D377552000-memory.dmp

Filesize
72KB

Download
memory/2264-122-0x000001D377720000-0x000001D377730000-memory.dmp

Filesize
64KB

Download
memory/4152-156-0x0000018DF3F20000-0x0000018DF3F30000-memory.dmp

Filesize
64KB

Download
memory/4152-155-0x0000018DF3F20000-0x0000018DF3F30000-memory.dmp

Filesize
64KB

Download
memory/4152-157-0x0000018DF3F20000-0x0000018DF3F30000-memory.dmp

Filesize
64KB

Download
memory/4152-158-0x0000018DF3F20000-0x0000018DF3F30000-memory.dmp

Filesize
64KB

Download