d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26 | Triage

Analysis

max time kernel
152s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
01-02-2022 12:51

Sharing

Report Analysis Logs

General

Target

d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26.exe
Size

16KB
MD5

52f3fc5a0291ddd479c11c1e0e9f00b9
SHA1

bb461e104c52bf05cadf9b332bca49e30596fe24
SHA256

d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26
SHA512

c4b9f4ecb455c1014ce5729c480fe7c7b79f86e3b7a89caebdb98aeaa3d5e6ef18d4796c0a595539aeb112c840df4980c160b449909f659dbe362d1315bae288

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

TiWorker.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TiWorker.exe

description pid process

Token: SeSecurityPrivilege 3328 TiWorker.exe
Token: SeRestorePrivilege 3328 TiWorker.exe
Token: SeBackupPrivilege 3328 TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26.exe

description	pid	process	target process
PID 1008 wrote to memory of 3764	1008	d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26.exe	fondue.exe
PID 1008 wrote to memory of 3764	1008	d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26.exe	fondue.exe

C:\Users\Admin\AppData\Local\Temp\d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26.exe
"C:\Users\Admin\AppData\Local\Temp\d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
PID:3764

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads