213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e

Analysis

Target

213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e.exe
Size

1.0MB
MD5

9985483b821dbd09608f62f8776e496a
SHA1

a0bc21ee9c7c70c0eee95b398641b210345e4a9f
SHA256

213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e
SHA512

19ea8bf8f6ca0e957334ab7f9f3219100c205a0dbcf26fd54553d8450d361b0ecd9577037c9668dbe30fb1e1d8edd7af241bb9785a3a77f71a42ed48393d1802

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3244	svchost.exe
Token: SeCreatePagefilePrivilege	3244	svchost.exe
Token: SeShutdownPrivilege	3244	svchost.exe
Token: SeCreatePagefilePrivilege	3244	svchost.exe
Token: SeShutdownPrivilege	3244	svchost.exe
Token: SeCreatePagefilePrivilege	3244	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e.exefondue.exe

description	pid	process	target process
PID 2260 wrote to memory of 1832	2260	213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e.exe	fondue.exe
PID 2260 wrote to memory of 1832	2260	213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e.exe	fondue.exe
PID 2260 wrote to memory of 1832	2260	213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e.exe	fondue.exe
PID 1832 wrote to memory of 2016	1832	fondue.exe	FonDUE.EXE
PID 1832 wrote to memory of 2016	1832	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e.exe
"C:\Users\Admin\AppData\Local\Temp\213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:2016

memory/3244-136-0x000002105B940000-0x000002105B950000-memory.dmp

Filesize
64KB

Download
memory/3244-137-0x000002105DE30000-0x000002105DE34000-memory.dmp

Filesize
16KB

Download