9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3

Analysis

Target

9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3.exe
Size

940KB
MD5

40886c9fef554c75918f00aeb160dac2
SHA1

d4e54f5e444342a6028fa383ef6412dda78edabb
SHA256

9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3
SHA512

66b13e06def4b3e85e33a8edce9b6092970a4f783719876cfdf486ce78c26edac5cf1178454f0ef9c1b24a98118b8edb729176ff00a5093b31a6265c32d9c39b

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	532	svchost.exe
Token: SeCreatePagefilePrivilege	532	svchost.exe
Token: SeShutdownPrivilege	532	svchost.exe
Token: SeCreatePagefilePrivilege	532	svchost.exe
Token: SeShutdownPrivilege	532	svchost.exe
Token: SeCreatePagefilePrivilege	532	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3.exefondue.exe

description	pid	process	target process
PID 1664 wrote to memory of 1484	1664	9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3.exe	fondue.exe
PID 1664 wrote to memory of 1484	1664	9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3.exe	fondue.exe
PID 1664 wrote to memory of 1484	1664	9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3.exe	fondue.exe
PID 1484 wrote to memory of 2700	1484	fondue.exe	FonDUE.EXE
PID 1484 wrote to memory of 2700	1484	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3.exe
"C:\Users\Admin\AppData\Local\Temp\9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:2700

memory/532-142-0x000001A4A0130000-0x000001A4A0134000-memory.dmp

Filesize
16KB

Download