b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08

Analysis

Target

b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08.exe
Size

1.1MB
MD5

6dcfa21a8a41a48317c5a9943055bbdc
SHA1

5430165952bcb6ce39ed497c47a01829ae950b75
SHA256

b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08
SHA512

969c77536e71ef1c0afbdfce58a66fb33b169afb72c8d4014509cab5551ec4c9187167d3eb01e56e635f8d24d71fa6c918b679d64dc5c5a49bf24a7a34583c74

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2908	svchost.exe
Token: SeCreatePagefilePrivilege	2908	svchost.exe
Token: SeShutdownPrivilege	2908	svchost.exe
Token: SeCreatePagefilePrivilege	2908	svchost.exe
Token: SeShutdownPrivilege	2908	svchost.exe
Token: SeCreatePagefilePrivilege	2908	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08.exefondue.exe

description	pid	process	target process
PID 4032 wrote to memory of 4044	4032	b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08.exe	fondue.exe
PID 4032 wrote to memory of 4044	4032	b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08.exe	fondue.exe
PID 4032 wrote to memory of 4044	4032	b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08.exe	fondue.exe
PID 4044 wrote to memory of 1884	4044	fondue.exe	FonDUE.EXE
PID 4044 wrote to memory of 1884	4044	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08.exe
"C:\Users\Admin\AppData\Local\Temp\b9ea5f0f13a8c5d170bf1963a68020c3df25a9ad376e721accfcd96e83a81d08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1884

memory/2908-145-0x000002AF77FC0000-0x000002AF77FC4000-memory.dmp

Filesize
16KB

Download