Analysis
-
max time kernel
124s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7d7852eacfba290a534740b85f3b57925dcf978c070f86f68d6f8da4b8d6d1f2.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7d7852eacfba290a534740b85f3b57925dcf978c070f86f68d6f8da4b8d6d1f2.exe
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
7d7852eacfba290a534740b85f3b57925dcf978c070f86f68d6f8da4b8d6d1f2.exe
-
Size
89KB
-
MD5
6eec797acc29b3b2e6dc47d913049c62
-
SHA1
2ab8f08108208b902461d37d6679e2be8a324fdf
-
SHA256
7d7852eacfba290a534740b85f3b57925dcf978c070f86f68d6f8da4b8d6d1f2
-
SHA512
df33000b829194b9a3a82d655c0c73a7488bb4f869c397ab9e2d874a2632790d695dba15a848d0db2cc89648ce8011cd88b6c11254d017c99df130ef843f7dfb
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1892 svchost.exe Token: SeCreatePagefilePrivilege 1892 svchost.exe Token: SeShutdownPrivilege 1892 svchost.exe Token: SeCreatePagefilePrivilege 1892 svchost.exe Token: SeShutdownPrivilege 1892 svchost.exe Token: SeCreatePagefilePrivilege 1892 svchost.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe Token: SeRestorePrivilege 2568 TiWorker.exe Token: SeSecurityPrivilege 2568 TiWorker.exe Token: SeBackupPrivilege 2568 TiWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d7852eacfba290a534740b85f3b57925dcf978c070f86f68d6f8da4b8d6d1f2.exe"C:\Users\Admin\AppData\Local\Temp\7d7852eacfba290a534740b85f3b57925dcf978c070f86f68d6f8da4b8d6d1f2.exe"1⤵PID:4748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2568