6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17

Analysis

Target

6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17.exe
Size

744KB
MD5

fb190f76dbe879f98ba1ab81a87ca31e
SHA1

3f01a4d1ade5cb1db1b711c2712e9f4b31c32b4a
SHA256

6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17
SHA512

1a5e3683e098a846dd1994adc5916bf1f5be09019b15375c309b54e49d53dee93e17f3f52b5cb5e16f00f9cfd6c43bac0aeaff7a0a6910ea9689c703ab88bdea

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4656	svchost.exe
Token: SeCreatePagefilePrivilege	4656	svchost.exe
Token: SeShutdownPrivilege	4656	svchost.exe
Token: SeCreatePagefilePrivilege	4656	svchost.exe
Token: SeShutdownPrivilege	4656	svchost.exe
Token: SeCreatePagefilePrivilege	4656	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17.exefondue.exe

description	pid	process	target process
PID 4188 wrote to memory of 1672	4188	6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17.exe	fondue.exe
PID 4188 wrote to memory of 1672	4188	6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17.exe	fondue.exe
PID 4188 wrote to memory of 1672	4188	6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17.exe	fondue.exe
PID 1672 wrote to memory of 1360	1672	fondue.exe	FonDUE.EXE
PID 1672 wrote to memory of 1360	1672	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17.exe
"C:\Users\Admin\AppData\Local\Temp\6625d8627ff187f802ad64ce0b6d3ae96cb3b0ca5c455b1710b63f496a512e17.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1360

memory/4656-142-0x000001EAF31C0000-0x000001EAF31C4000-memory.dmp

Filesize
16KB

Download