5f15aed0cf316def214528366b1ed0c1edf1df53143c5ff0d9e2ab93828b1078

Analysis

max time kernel
151s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
11-02-2022 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f15aed0cf316def214528366b1ed0c1edf1df53143c5ff0d9e2ab93828b1078.exe
Size

28KB
MD5

bb7c5b863c79a736c736a0c3822c2e98
SHA1

8cf83cc59ca7815dab91b89408f4f3b08c580521
SHA256

5f15aed0cf316def214528366b1ed0c1edf1df53143c5ff0d9e2ab93828b1078
SHA512

b881ab0c457d2c188e43e7d7e254aa9dd5ed464620b0d90b2f51ecd85c4f0eac974d735176332ebb595ab88ff8f202abcf91fbe4ae6d706c7a93c9ddf6bcf22c

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	svchost.exe
Token: SeCreatePagefilePrivilege	2564	svchost.exe
Token: SeShutdownPrivilege	2564	svchost.exe
Token: SeCreatePagefilePrivilege	2564	svchost.exe
Token: SeShutdownPrivilege	2564	svchost.exe
Token: SeCreatePagefilePrivilege	2564	svchost.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe
Token: SeRestorePrivilege	4052	TiWorker.exe
Token: SeSecurityPrivilege	4052	TiWorker.exe
Token: SeBackupPrivilege	4052	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\5f15aed0cf316def214528366b1ed0c1edf1df53143c5ff0d9e2ab93828b1078.exe
"C:\Users\Admin\AppData\Local\Temp\5f15aed0cf316def214528366b1ed0c1edf1df53143c5ff0d9e2ab93828b1078.exe"
1⤵
PID:4844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-130-0x0000028ED9F20000-0x0000028ED9F30000-memory.dmp

Filesize
64KB

Download
memory/2564-131-0x0000028ED9F80000-0x0000028ED9F90000-memory.dmp

Filesize
64KB

Download
memory/2564-132-0x0000028EDC660000-0x0000028EDC664000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads