2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5

Analysis

Target

2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5.exe
Size

1.1MB
MD5

b98337df6ec876387806a154ecff797a
SHA1

f875ba1e779cb88ccd05758576dce99422f6c1af
SHA256

2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5
SHA512

c8ebbfa80cc2a2f58b1f7d398a0e80cf99b86d6787e78f4a37f2370d95213be3741540567bcc7ac914f50e88bafdd449fdc5c7dc318f0c9d30be4f67c9e37a23

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3632	svchost.exe
Token: SeCreatePagefilePrivilege	3632	svchost.exe
Token: SeShutdownPrivilege	3632	svchost.exe
Token: SeCreatePagefilePrivilege	3632	svchost.exe
Token: SeShutdownPrivilege	3632	svchost.exe
Token: SeCreatePagefilePrivilege	3632	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5.exefondue.exe

description	pid	process	target process
PID 4148 wrote to memory of 732	4148	2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5.exe	fondue.exe
PID 4148 wrote to memory of 732	4148	2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5.exe	fondue.exe
PID 4148 wrote to memory of 732	4148	2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5.exe	fondue.exe
PID 732 wrote to memory of 4956	732	fondue.exe	FonDUE.EXE
PID 732 wrote to memory of 4956	732	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5.exe
"C:\Users\Admin\AppData\Local\Temp\2f327913c4482f812017173ee7cbd55298446938c974b6605a567d341f5db9e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4956

memory/3632-142-0x0000018EDFB80000-0x0000018EDFB84000-memory.dmp

Filesize
16KB

Download