1a6c366eadeeb23d9f790fc25384d6fc7565c0b656e43f00be7da2d945733431

General

Target

1a6c366eadeeb23d9f790fc25384d6fc7565c0b656e43f00be7da2d945733431.exe
Size

10.6MB
MD5

ed154556ce990ea0616f481bc15af843
SHA1

031eb3490916a2d5b395288fb92a8e1961ef0857
SHA256

1a6c366eadeeb23d9f790fc25384d6fc7565c0b656e43f00be7da2d945733431
SHA512

97abef8b67b9dc762dfe5c5ddff63c6f7d5a20e4498632505582fd0ab58fa8435737934f0c5cc6ffc17156086da25035600f486424232250243aeed57ddf2bb4

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4088	svchost.exe
Token: SeCreatePagefilePrivilege	4088	svchost.exe
Token: SeShutdownPrivilege	4088	svchost.exe
Token: SeCreatePagefilePrivilege	4088	svchost.exe
Token: SeShutdownPrivilege	4088	svchost.exe
Token: SeCreatePagefilePrivilege	4088	svchost.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe
Token: SeRestorePrivilege	2776	TiWorker.exe
Token: SeSecurityPrivilege	2776	TiWorker.exe
Token: SeBackupPrivilege	2776	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\1a6c366eadeeb23d9f790fc25384d6fc7565c0b656e43f00be7da2d945733431.exe
"C:\Users\Admin\AppData\Local\Temp\1a6c366eadeeb23d9f790fc25384d6fc7565c0b656e43f00be7da2d945733431.exe"
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4088-130-0x000002405C760000-0x000002405C770000-memory.dmp

Filesize
64KB

Download
memory/4088-131-0x000002405CD20000-0x000002405CD30000-memory.dmp

Filesize
64KB

Download
memory/4088-132-0x000002405F3B0000-0x000002405F3B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads