b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

General

Target

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe
Size

66KB
MD5

a9a46a523993add1117a618d0d5d395b
SHA1

5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b
SHA256

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951
SHA512

10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3712	svchost.exe
Token: SeCreatePagefilePrivilege	3712	svchost.exe
Token: SeShutdownPrivilege	3712	svchost.exe
Token: SeCreatePagefilePrivilege	3712	svchost.exe
Token: SeShutdownPrivilege	3712	svchost.exe
Token: SeCreatePagefilePrivilege	3712	svchost.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe
Token: SeBackupPrivilege	2368	TiWorker.exe
Token: SeRestorePrivilege	2368	TiWorker.exe
Token: SeSecurityPrivilege	2368	TiWorker.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exefondue.exe

description	pid	process	target process
PID 2844 wrote to memory of 3096	2844	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	fondue.exe
PID 2844 wrote to memory of 3096	2844	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	fondue.exe
PID 2844 wrote to memory of 3096	2844	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	fondue.exe
PID 3096 wrote to memory of 4940	3096	fondue.exe	FonDUE.EXE
PID 3096 wrote to memory of 4940	3096	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe
"C:\Users\Admin\AppData\Local\Temp\b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3712-130-0x000001EE68530000-0x000001EE68540000-memory.dmp

Filesize
64KB

Download
memory/3712-131-0x000001EE68590000-0x000001EE685A0000-memory.dmp

Filesize
64KB

Download
memory/3712-132-0x000001EE6B270000-0x000001EE6B274000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads