7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1 | Triage

Analysis

max time kernel
142s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
01-02-2022 12:54

Sharing

Report Analysis Logs

General

Target

7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe
Size

16KB
MD5

bcba1bfc7f8834dbdbdf60ef532b9029
SHA1

eb39de6f3e9eeaca8cfea27a641a0258ada0640e
SHA256

7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1
SHA512

bed3629ac2a66ea23a5bdfa90facf9000c557ad623b3f7d5df1d935d9e3c8a8448765bc9ecb9635ecbfbfe7446624db44fc20d5fbefdb26c992e95d0eb6430bc

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

TiWorker.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TiWorker.exe

description pid process

Token: SeSecurityPrivilege 216 TiWorker.exe
Token: SeRestorePrivilege 216 TiWorker.exe
Token: SeBackupPrivilege 216 TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe

description	pid	process	target process
PID 816 wrote to memory of 484	816	7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe	fondue.exe
PID 816 wrote to memory of 484	816	7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe	fondue.exe

C:\Users\Admin\AppData\Local\Temp\7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe
"C:\Users\Admin\AppData\Local\Temp\7e1f0c4593e27a0841305ca73d83f6ccdd900ecf8ed8863feb9a301367c5dac1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
PID:484

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...