aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64

Analysis

Target

aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64.exe
Size

895KB
MD5

fcc54bfa60289e20a75b956f9619bc6f
SHA1

26ed4e9811337d22fb00c224c64a784283bbde37
SHA256

aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64
SHA512

d0117cbc1e7566374c23cfbc31bc6a4a6f47511178cb2b926c7c086f340d10aef689219c226f5dc7c85ac1e823941effcb81459aff4484cc119b9dd005eff388

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4460	svchost.exe
Token: SeCreatePagefilePrivilege	4460	svchost.exe
Token: SeShutdownPrivilege	4460	svchost.exe
Token: SeCreatePagefilePrivilege	4460	svchost.exe
Token: SeShutdownPrivilege	4460	svchost.exe
Token: SeCreatePagefilePrivilege	4460	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64.exefondue.exe

description	pid	process	target process
PID 952 wrote to memory of 1440	952	aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64.exe	fondue.exe
PID 952 wrote to memory of 1440	952	aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64.exe	fondue.exe
PID 952 wrote to memory of 1440	952	aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64.exe	fondue.exe
PID 1440 wrote to memory of 1704	1440	fondue.exe	FonDUE.EXE
PID 1440 wrote to memory of 1704	1440	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64.exe
"C:\Users\Admin\AppData\Local\Temp\aabe8228ddaf1d6e442d60fd918d2a9ff86ca8fb38c24fc15d20f0f990742d64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1704

memory/4460-130-0x000001D7975A0000-0x000001D7975B0000-memory.dmp

Filesize
64KB

Download
memory/4460-137-0x000001D79A320000-0x000001D79A324000-memory.dmp

Filesize
16KB

Download