843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42

Analysis

Target

843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42.exe
Size

768KB
MD5

b9ca33576f5838b4f3ac986355c4be95
SHA1

108ff3ad26d15ec9dd6543c0126cb09e0f3004b8
SHA256

843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42
SHA512

f3244a9498b698f50bbf93bf45230be2b3bc68745ef3cdba350749b6d16813bfbfdcef63df30edc6f95cb36529d30cac9a1110bccb504d6839a8348dd7a8a700

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1484	svchost.exe
Token: SeCreatePagefilePrivilege	1484	svchost.exe
Token: SeShutdownPrivilege	1484	svchost.exe
Token: SeCreatePagefilePrivilege	1484	svchost.exe
Token: SeShutdownPrivilege	1484	svchost.exe
Token: SeCreatePagefilePrivilege	1484	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42.exefondue.exe

description	pid	process	target process
PID 4872 wrote to memory of 4708	4872	843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42.exe	fondue.exe
PID 4872 wrote to memory of 4708	4872	843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42.exe	fondue.exe
PID 4872 wrote to memory of 4708	4872	843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42.exe	fondue.exe
PID 4708 wrote to memory of 1512	4708	fondue.exe	FonDUE.EXE
PID 4708 wrote to memory of 1512	4708	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42.exe
"C:\Users\Admin\AppData\Local\Temp\843edc7bc28351c5404d3e03b1a989a26b07b0644874a063952460a6f7ae6a42.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1512

memory/1484-142-0x000001EE0E710000-0x000001EE0E714000-memory.dmp

Filesize
16KB

Download