765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28

Analysis

Target

765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28.exe
Size

631KB
MD5

2e27fdee99a5fef6bc031667a78d43a7
SHA1

1fff20229b3ac083ccb7dd1135f034383c7a2d43
SHA256

765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28
SHA512

7aca17d72a8fba4df443f75f380236226dbabddeb87a12bb0f5a252bd54319cf544e6f1e372450297f46a139d11ce507a38a4ed5c15b3d23a183a969dfcdc8b4

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	744	svchost.exe
Token: SeCreatePagefilePrivilege	744	svchost.exe
Token: SeShutdownPrivilege	744	svchost.exe
Token: SeCreatePagefilePrivilege	744	svchost.exe
Token: SeShutdownPrivilege	744	svchost.exe
Token: SeCreatePagefilePrivilege	744	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28.exefondue.exe

description	pid	process	target process
PID 4984 wrote to memory of 4220	4984	765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28.exe	fondue.exe
PID 4984 wrote to memory of 4220	4984	765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28.exe	fondue.exe
PID 4984 wrote to memory of 4220	4984	765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28.exe	fondue.exe
PID 4220 wrote to memory of 4960	4220	fondue.exe	FonDUE.EXE
PID 4220 wrote to memory of 4960	4220	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28.exe
"C:\Users\Admin\AppData\Local\Temp\765fffe2f974776a9a92361d7ba6cb0cc206777c96b8090cedf7db22cdf0ac28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4960

memory/744-143-0x0000017B3B740000-0x0000017B3B744000-memory.dmp

Filesize
16KB

Download