6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1

Analysis

Target

6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1.exe
Size

970KB
MD5

fd7ef2eeb906cad24856562a2d2ea4d5
SHA1

d15359eb35d6ed3fd7c31044f2f5211309caf535
SHA256

6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1
SHA512

fc9e3b6fc15c6584786da6210020cd3af6f0988254036fa2d630c1f4404015c7013ae7d8db98de3b5ca8413724e353bd1de50a98cd9239813ab825dd14564962

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3700	svchost.exe
Token: SeCreatePagefilePrivilege	3700	svchost.exe
Token: SeShutdownPrivilege	3700	svchost.exe
Token: SeCreatePagefilePrivilege	3700	svchost.exe
Token: SeShutdownPrivilege	3700	svchost.exe
Token: SeCreatePagefilePrivilege	3700	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1.exefondue.exe

description	pid	process	target process
PID 2220 wrote to memory of 4960	2220	6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1.exe	fondue.exe
PID 2220 wrote to memory of 4960	2220	6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1.exe	fondue.exe
PID 2220 wrote to memory of 4960	2220	6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1.exe	fondue.exe
PID 4960 wrote to memory of 4948	4960	fondue.exe	FonDUE.EXE
PID 4960 wrote to memory of 4948	4960	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1.exe
"C:\Users\Admin\AppData\Local\Temp\6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4948

memory/3700-130-0x00000225B89A0000-0x00000225B89B0000-memory.dmp

Filesize
64KB

Download
memory/3700-137-0x00000225BB720000-0x00000225BB724000-memory.dmp

Filesize
16KB

Download