e90c2e5873df18e8afb63f747ebad09fdd7db2fe24fe4b60beefe6530d6a0c14

General

Target

864-62-0x0000000072480000-0x00000000724A9000-memory.exe
Size

164KB
MD5

0c480318d5b82c12c4840f25b28c6f4e
SHA1

9e1d7a0e1bdddc56ffac93be32ca3bb67a5ee194
SHA256

e90c2e5873df18e8afb63f747ebad09fdd7db2fe24fe4b60beefe6530d6a0c14
SHA512

3c2214fba2ede464bb7577de45a0db76ad610277e7f8e1c6f803a2199127aa5c24da00ede8f989071bcf5be22e84a1b188121131d805137d1f5f1dd14838ff3b

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

864-62-0x0000000072480000-0x00000000724A9000-memory.exe

pid process

5036 864-62-0x0000000072480000-0x00000000724A9000-memory.exe
5036 864-62-0x0000000072480000-0x00000000724A9000-memory.exe

pid	process
5036	864-62-0x0000000072480000-0x00000000724A9000-memory.exe
5036	864-62-0x0000000072480000-0x00000000724A9000-memory.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4468	svchost.exe
Token: SeCreatePagefilePrivilege	4468	svchost.exe
Token: SeShutdownPrivilege	4468	svchost.exe
Token: SeCreatePagefilePrivilege	4468	svchost.exe
Token: SeShutdownPrivilege	4468	svchost.exe
Token: SeCreatePagefilePrivilege	4468	svchost.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe
Token: SeRestorePrivilege	3552	TiWorker.exe
Token: SeSecurityPrivilege	3552	TiWorker.exe
Token: SeBackupPrivilege	3552	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\864-62-0x0000000072480000-0x00000000724A9000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\864-62-0x0000000072480000-0x00000000724A9000-memory.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4468-131-0x000001FC01130000-0x000001FC01140000-memory.dmp

Filesize
64KB

Download
memory/4468-132-0x000001FC01190000-0x000001FC011A0000-memory.dmp

Filesize
64KB

Download
memory/4468-133-0x000001FC03E90000-0x000001FC03E94000-memory.dmp

Filesize
16KB

Download
memory/5036-130-0x0000000001590000-0x00000000018DA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads