5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38

General

Target

5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe
Size

585KB
MD5

46b33a01ddc74f6ed96a3793744eedfd
SHA1

654f6e185b5ab4a0a98c36d8b24d7f6399c8a61a
SHA256

5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38
SHA512

6635af0047324d7fdc018eb42339dd75b165daeb5ebd468b5fa27ec877b23ee05bd7f540790af2053822d62784cfe6cc5f12b87d0d738289225f4f2d5c903673

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3660	svchost.exe
Token: SeCreatePagefilePrivilege	3660	svchost.exe
Token: SeShutdownPrivilege	3660	svchost.exe
Token: SeCreatePagefilePrivilege	3660	svchost.exe
Token: SeShutdownPrivilege	3660	svchost.exe
Token: SeCreatePagefilePrivilege	3660	svchost.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe
Token: SeRestorePrivilege	4216	TiWorker.exe
Token: SeSecurityPrivilege	4216	TiWorker.exe
Token: SeBackupPrivilege	4216	TiWorker.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exefondue.exe

description	pid	process	target process
PID 2040 wrote to memory of 2148	2040	5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe	fondue.exe
PID 2040 wrote to memory of 2148	2040	5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe	fondue.exe
PID 2040 wrote to memory of 2148	2040	5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe	fondue.exe
PID 2148 wrote to memory of 2572	2148	fondue.exe	FonDUE.EXE
PID 2148 wrote to memory of 2572	2148	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe
"C:\Users\Admin\AppData\Local\Temp\5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3660-130-0x00000203DE580000-0x00000203DE590000-memory.dmp

Filesize
64KB

Download
memory/3660-131-0x00000203DED60000-0x00000203DED70000-memory.dmp

Filesize
64KB

Download
memory/3660-132-0x00000203E1960000-0x00000203E1964000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads