615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e

Analysis

Target

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
Size

928KB
MD5

4e1c63f6dea273fa69557ad90b9d4df6
SHA1

f08df5fba2f8abb1cb90c9448400f40ace024293
SHA256

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e
SHA512

ca97efeabedce4a76bfc09d47e87193185cc9004976340d0a76c72b61dce72d40b374a24f38f266bb2d9bb84f2ac6d800dad65fc16f1889a9fd90e5486f421eb

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2592	svchost.exe
Token: SeCreatePagefilePrivilege	2592	svchost.exe
Token: SeShutdownPrivilege	2592	svchost.exe
Token: SeCreatePagefilePrivilege	2592	svchost.exe
Token: SeShutdownPrivilege	2592	svchost.exe
Token: SeCreatePagefilePrivilege	2592	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exefondue.exe

description	pid	process	target process
PID 1600 wrote to memory of 2944	1600	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	fondue.exe
PID 1600 wrote to memory of 2944	1600	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	fondue.exe
PID 1600 wrote to memory of 2944	1600	615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe	fondue.exe
PID 2944 wrote to memory of 4816	2944	fondue.exe	FonDUE.EXE
PID 2944 wrote to memory of 4816	2944	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
"C:\Users\Admin\AppData\Local\Temp\615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4816

memory/2592-130-0x0000025592D70000-0x0000025592D80000-memory.dmp

Filesize
64KB

Download
memory/2592-137-0x00000255959F0000-0x00000255959F4000-memory.dmp

Filesize
16KB

Download