46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c

Analysis

Target

46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c.exe
Size

1.1MB
MD5

53667a9ac977c683a37cefb85b68e29d
SHA1

1d096233908e6017140e77125c74940dc1b964bf
SHA256

46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c
SHA512

9faed1c4081c13d5f21ddaf3147ca55a5fd1fca946634374bb10024e97cd43527c0e35d8324b2925e44415385d6478151e368a58dcadfe7b68757b1511643ba2

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3228	svchost.exe
Token: SeCreatePagefilePrivilege	3228	svchost.exe
Token: SeShutdownPrivilege	3228	svchost.exe
Token: SeCreatePagefilePrivilege	3228	svchost.exe
Token: SeShutdownPrivilege	3228	svchost.exe
Token: SeCreatePagefilePrivilege	3228	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c.exefondue.exe

description	pid	process	target process
PID 460 wrote to memory of 2556	460	46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c.exe	fondue.exe
PID 460 wrote to memory of 2556	460	46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c.exe	fondue.exe
PID 460 wrote to memory of 2556	460	46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c.exe	fondue.exe
PID 2556 wrote to memory of 4616	2556	fondue.exe	FonDUE.EXE
PID 2556 wrote to memory of 4616	2556	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c.exe
"C:\Users\Admin\AppData\Local\Temp\46f3d046ecc8a8f4ea7104fe19c6aa1b04998accc564fa4660fceb6c6c51aa8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4616

memory/3228-133-0x000002AF53D70000-0x000002AF53D80000-memory.dmp

Filesize
64KB

Download
memory/3228-140-0x000002AF56AF0000-0x000002AF56AF4000-memory.dmp

Filesize
16KB

Download