11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855

General

Target

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
Size

448KB
MD5

808189ade846e9d5855baed60727ee6e
SHA1

45a356565238d83b726852a4a69fa764a00c62f0
SHA256

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855
SHA512

93542e23f5ffdb7bedc98b63595871d4da488d90e19e0e214de204ed11390bb61fddef239ebb51720372317da208a7aeab3d7783f5b426817a0b12993a6df010

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	448	svchost.exe
Token: SeCreatePagefilePrivilege	448	svchost.exe
Token: SeShutdownPrivilege	448	svchost.exe
Token: SeCreatePagefilePrivilege	448	svchost.exe
Token: SeShutdownPrivilege	448	svchost.exe
Token: SeCreatePagefilePrivilege	448	svchost.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe
Token: SeRestorePrivilege	5100	TiWorker.exe
Token: SeSecurityPrivilege	5100	TiWorker.exe
Token: SeBackupPrivilege	5100	TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe

description	pid	process	target process
PID 3920 wrote to memory of 1408	3920	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe	fondue.exe
PID 3920 wrote to memory of 1408	3920	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe	fondue.exe

C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
"C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-130-0x00000140ABE20000-0x00000140ABE30000-memory.dmp

Filesize
64KB

Download
memory/448-131-0x00000140ABE80000-0x00000140ABE90000-memory.dmp

Filesize
64KB

Download
memory/448-132-0x00000140AE550000-0x00000140AE554000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads