0c0efbd071690155a43d7edd7c5076005388ebb5a753fbb24f210b0a66ee96f1

General

Target

0c0efbd071690155a43d7edd7c5076005388ebb5a753fbb24f210b0a66ee96f1.exe
Size

4.1MB
MD5

2d6ddc42a0b42382a85688b66bfe811f
SHA1

d6a52034d4a68ba1bbf8c47120ad71b00bb97363
SHA256

0c0efbd071690155a43d7edd7c5076005388ebb5a753fbb24f210b0a66ee96f1
SHA512

1e818fb87218c08d0dbc60252cde87c21354f6d2aa9a8997f102b0690a681cf52fb08a8a5943c8f45c64da841acf38778ce44d540bf9efaae1f3d244c402c084

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3272	svchost.exe
Token: SeCreatePagefilePrivilege	3272	svchost.exe
Token: SeShutdownPrivilege	3272	svchost.exe
Token: SeCreatePagefilePrivilege	3272	svchost.exe
Token: SeShutdownPrivilege	3272	svchost.exe
Token: SeCreatePagefilePrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe
Token: SeRestorePrivilege	4196	TiWorker.exe
Token: SeSecurityPrivilege	4196	TiWorker.exe
Token: SeBackupPrivilege	4196	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\0c0efbd071690155a43d7edd7c5076005388ebb5a753fbb24f210b0a66ee96f1.exe
"C:\Users\Admin\AppData\Local\Temp\0c0efbd071690155a43d7edd7c5076005388ebb5a753fbb24f210b0a66ee96f1.exe"
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3272-130-0x0000020D7C570000-0x0000020D7C580000-memory.dmp

Filesize
64KB

Download
memory/3272-131-0x0000020D7CB20000-0x0000020D7CB30000-memory.dmp

Filesize
64KB

Download
memory/3272-132-0x0000020D7F1F0000-0x0000020D7F1F4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads