ae41668b1efcfcb42794f2110f208b68265a5e2258102a5d84e9d067c6b6e3cf

Analysis

Target

PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
Size

953KB
MD5

a2a48069e7778fb2ad1b4a757eaa9d50
SHA1

d7d759a032acabaa9e5a53727e4d951ad6270d1b
SHA256

8ab45eb97285241116fb268afc0a0e594ac04f29f32cd62a659447a0b14e3c37
SHA512

c0ce9b2cfa6a21cada3292b4eca59de4f76f2b085e6955bd176e2937b04decbed224c781f4e98c2c94bb513703195984f61d895d1c353218a9cdb3ceb7aa8133

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3436	svchost.exe
Token: SeCreatePagefilePrivilege	3436	svchost.exe
Token: SeShutdownPrivilege	3436	svchost.exe
Token: SeCreatePagefilePrivilege	3436	svchost.exe
Token: SeShutdownPrivilege	3436	svchost.exe
Token: SeCreatePagefilePrivilege	3436	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exefondue.exe

description	pid	process	target process
PID 3380 wrote to memory of 4676	3380	PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe	fondue.exe
PID 3380 wrote to memory of 4676	3380	PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe	fondue.exe
PID 3380 wrote to memory of 4676	3380	PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe	fondue.exe
PID 4676 wrote to memory of 2044	4676	fondue.exe	FonDUE.EXE
PID 4676 wrote to memory of 2044	4676	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:2044

memory/3436-130-0x000001C823B70000-0x000001C823B80000-memory.dmp

Filesize
64KB

Download
memory/3436-137-0x000001C8268F0000-0x000001C8268F4000-memory.dmp

Filesize
16KB

Download