Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-02-2022 15:28
Static task
static1
Behavioral task
behavioral1
Sample
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
-
Size
448KB
-
MD5
808189ade846e9d5855baed60727ee6e
-
SHA1
45a356565238d83b726852a4a69fa764a00c62f0
-
SHA256
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855
-
SHA512
93542e23f5ffdb7bedc98b63595871d4da488d90e19e0e214de204ed11390bb61fddef239ebb51720372317da208a7aeab3d7783f5b426817a0b12993a6df010
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 448 svchost.exe Token: SeCreatePagefilePrivilege 448 svchost.exe Token: SeShutdownPrivilege 448 svchost.exe Token: SeCreatePagefilePrivilege 448 svchost.exe Token: SeShutdownPrivilege 448 svchost.exe Token: SeCreatePagefilePrivilege 448 svchost.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe Token: SeRestorePrivilege 5100 TiWorker.exe Token: SeSecurityPrivilege 5100 TiWorker.exe Token: SeBackupPrivilege 5100 TiWorker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exedescription pid process target process PID 3920 wrote to memory of 1408 3920 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe fondue.exe PID 3920 wrote to memory of 1408 3920 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe fondue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe"C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken