b4197abdbe29622df210260324de401562176ddd943b64c7a4a0439074889cf2

General

Target

b4197abdbe29622df210260324de401562176ddd943b64c7a4a0439074889cf2.exe
Size

443KB
MD5

e503139e9ff7c424fdfc6b32fdd2f552
SHA1

56d916ea1b8b8d07a7d2617ad7c9bad19e26c91f
SHA256

b4197abdbe29622df210260324de401562176ddd943b64c7a4a0439074889cf2
SHA512

e820fb2a44fbcb831864565ee558bd75db6af51d2f5d18be8712a7e135a28160b6add328ad98733fa969a464cd1accd9016c187f940671ae8cc7cfd3befa4f34

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeb4197abdbe29622df210260324de401562176ddd943b64c7a4a0439074889cf2.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3484	svchost.exe
Token: SeCreatePagefilePrivilege	3484	svchost.exe
Token: SeShutdownPrivilege	3484	svchost.exe
Token: SeCreatePagefilePrivilege	3484	svchost.exe
Token: SeShutdownPrivilege	3484	svchost.exe
Token: SeCreatePagefilePrivilege	3484	svchost.exe
Token: SeDebugPrivilege	4416	b4197abdbe29622df210260324de401562176ddd943b64c7a4a0439074889cf2.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe
Token: SeBackupPrivilege	1432	TiWorker.exe
Token: SeRestorePrivilege	1432	TiWorker.exe
Token: SeSecurityPrivilege	1432	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\b4197abdbe29622df210260324de401562176ddd943b64c7a4a0439074889cf2.exe
"C:\Users\Admin\AppData\Local\Temp\b4197abdbe29622df210260324de401562176ddd943b64c7a4a0439074889cf2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3484-130-0x000001D9EA580000-0x000001D9EA590000-memory.dmp

Filesize
64KB

Download
memory/3484-131-0x000001D9EAB20000-0x000001D9EAB30000-memory.dmp

Filesize
64KB

Download
memory/3484-132-0x000001D9ED200000-0x000001D9ED204000-memory.dmp

Filesize
16KB

Download
memory/4416-133-0x000000000229D000-0x00000000022C9000-memory.dmp

Filesize
176KB

Download
memory/4416-134-0x000000000229D000-0x00000000022C9000-memory.dmp

Filesize
176KB

Download
memory/4416-135-0x0000000003D60000-0x0000000003D99000-memory.dmp

Filesize
228KB

Download
memory/4416-136-0x0000000006853000-0x0000000006854000-memory.dmp

Filesize
4KB

Download
memory/4416-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4416-138-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/4416-139-0x0000000006850000-0x0000000006851000-memory.dmp

Filesize
4KB

Download
memory/4416-140-0x0000000006852000-0x0000000006853000-memory.dmp

Filesize
4KB

Download
memory/4416-141-0x0000000006860000-0x0000000006E04000-memory.dmp

Filesize
5.6MB

Download
memory/4416-142-0x0000000006E10000-0x0000000007428000-memory.dmp

Filesize
6.1MB

Download
memory/4416-143-0x00000000067B0000-0x00000000067C2000-memory.dmp

Filesize
72KB

Download
memory/4416-144-0x0000000007430000-0x000000000753A000-memory.dmp

Filesize
1.0MB

Download
memory/4416-145-0x00000000067D0000-0x000000000680C000-memory.dmp

Filesize
240KB

Download
memory/4416-146-0x0000000006854000-0x0000000006856000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing