Analysis
-
max time kernel
121s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 13:19
Static task
static1
Behavioral task
behavioral1
Sample
5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe
-
Size
585KB
-
MD5
46b33a01ddc74f6ed96a3793744eedfd
-
SHA1
654f6e185b5ab4a0a98c36d8b24d7f6399c8a61a
-
SHA256
5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38
-
SHA512
6635af0047324d7fdc018eb42339dd75b165daeb5ebd468b5fa27ec877b23ee05bd7f540790af2053822d62784cfe6cc5f12b87d0d738289225f4f2d5c903673
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3660 svchost.exe Token: SeCreatePagefilePrivilege 3660 svchost.exe Token: SeShutdownPrivilege 3660 svchost.exe Token: SeCreatePagefilePrivilege 3660 svchost.exe Token: SeShutdownPrivilege 3660 svchost.exe Token: SeCreatePagefilePrivilege 3660 svchost.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe Token: SeRestorePrivilege 4216 TiWorker.exe Token: SeSecurityPrivilege 4216 TiWorker.exe Token: SeBackupPrivilege 4216 TiWorker.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exefondue.exedescription pid process target process PID 2040 wrote to memory of 2148 2040 5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe fondue.exe PID 2040 wrote to memory of 2148 2040 5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe fondue.exe PID 2040 wrote to memory of 2148 2040 5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe fondue.exe PID 2148 wrote to memory of 2572 2148 fondue.exe FonDUE.EXE PID 2148 wrote to memory of 2572 2148 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe"C:\Users\Admin\AppData\Local\Temp\5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4216