5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b

Analysis

Target

5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b.exe
Size

1013KB
MD5

518b24a102a16249ede5ffe5abf4e0ca
SHA1

35f48f53044c309d85abe38dbd4c229a2baf46a2
SHA256

5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b
SHA512

73e380b672f5fe71f6229df1073d11717651f609c300eea0b1c26420698e604503ed58b2b15a5e2457cfd5766e87a2cbc5ca953ded9c2d4f69e60981721745f3

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1460	svchost.exe
Token: SeCreatePagefilePrivilege	1460	svchost.exe
Token: SeShutdownPrivilege	1460	svchost.exe
Token: SeCreatePagefilePrivilege	1460	svchost.exe
Token: SeShutdownPrivilege	1460	svchost.exe
Token: SeCreatePagefilePrivilege	1460	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b.exefondue.exe

description	pid	process	target process
PID 5096 wrote to memory of 3120	5096	5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b.exe	fondue.exe
PID 5096 wrote to memory of 3120	5096	5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b.exe	fondue.exe
PID 5096 wrote to memory of 3120	5096	5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b.exe	fondue.exe
PID 3120 wrote to memory of 4952	3120	fondue.exe	FonDUE.EXE
PID 3120 wrote to memory of 4952	3120	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b.exe
"C:\Users\Admin\AppData\Local\Temp\5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4952

memory/1460-142-0x000002138C390000-0x000002138C394000-memory.dmp

Filesize
16KB

Download