Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-02-2022 22:36
Static task
static1
Behavioral task
behavioral1
Sample
046235b59fbc6d2c4ec3db0ae6ea10cb53d743c678ca9dca8b2a9d30c7fbb393.dll
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
046235b59fbc6d2c4ec3db0ae6ea10cb53d743c678ca9dca8b2a9d30c7fbb393.dll
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
046235b59fbc6d2c4ec3db0ae6ea10cb53d743c678ca9dca8b2a9d30c7fbb393.dll
-
Size
163KB
-
MD5
a1cc9b5d85c55d1679cee3a11500fc15
-
SHA1
dcb776035a4f6140d86a8acbac48683035cec701
-
SHA256
046235b59fbc6d2c4ec3db0ae6ea10cb53d743c678ca9dca8b2a9d30c7fbb393
-
SHA512
12220589d5e0f14c07fed9fdb1e5dd24cd518decc7719faa2b95de664be324204ddf4a3dafaf9d49c4932192c27bff501d02a4a1c65c427eae9d414b203a668a
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4632 svchost.exe Token: SeCreatePagefilePrivilege 4632 svchost.exe Token: SeShutdownPrivilege 4632 svchost.exe Token: SeCreatePagefilePrivilege 4632 svchost.exe Token: SeShutdownPrivilege 4632 svchost.exe Token: SeCreatePagefilePrivilege 4632 svchost.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe Token: SeRestorePrivilege 2508 TiWorker.exe Token: SeSecurityPrivilege 2508 TiWorker.exe Token: SeBackupPrivilege 2508 TiWorker.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1316 wrote to memory of 1524 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1524 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1524 1316 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\046235b59fbc6d2c4ec3db0ae6ea10cb53d743c678ca9dca8b2a9d30c7fbb393.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\046235b59fbc6d2c4ec3db0ae6ea10cb53d743c678ca9dca8b2a9d30c7fbb393.dll,#12⤵PID:1524
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508