Analysis
-
max time kernel
142s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe
-
Size
16KB
-
MD5
bcba1bfc7f8834dbdbdf60ef532b9029
-
SHA1
eb39de6f3e9eeaca8cfea27a641a0258ada0640e
-
SHA256
7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1
-
SHA512
bed3629ac2a66ea23a5bdfa90facf9000c557ad623b3f7d5df1d935d9e3c8a8448765bc9ecb9635ecbfbfe7446624db44fc20d5fbefdb26c992e95d0eb6430bc
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 216 TiWorker.exe Token: SeRestorePrivilege 216 TiWorker.exe Token: SeBackupPrivilege 216 TiWorker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exedescription pid process target process PID 816 wrote to memory of 484 816 7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe fondue.exe PID 816 wrote to memory of 484 816 7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe fondue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe"C:\Users\Admin\AppData\Local\Temp\7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\system32\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵PID:484
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:216