5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d

Analysis

Target

5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d.exe
Size

870KB
MD5

24e8a72c793c76c70c4a6218214f32f1
SHA1

694f58f88cc8ed6c194fdc84a55f6fbd4595b5df
SHA256

5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d
SHA512

f9182d981ab54158d2e00ae7073cc90d351a9c42eda422495a17ece4a7639ea74c5877bfbf1447a809aaa003968f7e4ac4ff69a22adb13e243a80fa78ec013f7

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1976	svchost.exe
Token: SeCreatePagefilePrivilege	1976	svchost.exe
Token: SeShutdownPrivilege	1976	svchost.exe
Token: SeCreatePagefilePrivilege	1976	svchost.exe
Token: SeShutdownPrivilege	1976	svchost.exe
Token: SeCreatePagefilePrivilege	1976	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d.exefondue.exe

description	pid	process	target process
PID 5064 wrote to memory of 4700	5064	5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d.exe	fondue.exe
PID 5064 wrote to memory of 4700	5064	5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d.exe	fondue.exe
PID 5064 wrote to memory of 4700	5064	5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d.exe	fondue.exe
PID 4700 wrote to memory of 1304	4700	fondue.exe	FonDUE.EXE
PID 4700 wrote to memory of 1304	4700	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d.exe
"C:\Users\Admin\AppData\Local\Temp\5421e7c322bd9c30245f32da6eb88e0e41f8b1cf0462e308cb6cf98345b8c43d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1304

memory/1976-142-0x0000025502850000-0x0000025502854000-memory.dmp

Filesize
16KB

Download