d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c

Analysis

Target

d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c.exe
Size

893KB
MD5

524a72efefa15f50c538d5a32a9b30a7
SHA1

af91692774e410e963556541d42d7d1c5adf906d
SHA256

d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c
SHA512

aa60c3315888907687447567a6e891af4fa9887b80b000daedb0a06459ce357e033da915ab53f7e98f62091c1a688b04b636bde380dad7ed9085f48182bab970

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2796	svchost.exe
Token: SeCreatePagefilePrivilege	2796	svchost.exe
Token: SeShutdownPrivilege	2796	svchost.exe
Token: SeCreatePagefilePrivilege	2796	svchost.exe
Token: SeShutdownPrivilege	2796	svchost.exe
Token: SeCreatePagefilePrivilege	2796	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c.exefondue.exe

description	pid	process	target process
PID 4728 wrote to memory of 444	4728	d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c.exe	fondue.exe
PID 4728 wrote to memory of 444	4728	d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c.exe	fondue.exe
PID 4728 wrote to memory of 444	4728	d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c.exe	fondue.exe
PID 444 wrote to memory of 1508	444	fondue.exe	FonDUE.EXE
PID 444 wrote to memory of 1508	444	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c.exe
"C:\Users\Admin\AppData\Local\Temp\d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1508

memory/2796-130-0x0000025667130000-0x0000025667140000-memory.dmp

Filesize
64KB

Download
memory/2796-131-0x0000025667190000-0x00000256671A0000-memory.dmp

Filesize
64KB

Download
memory/2796-132-0x0000025669E70000-0x0000025669E74000-memory.dmp

Filesize
16KB

Download