0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d

Analysis

Target

0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d.exe
Size

687KB
MD5

b30e6c8f638b121cd3e0723b63214628
SHA1

2be5ad48d09031874bbaf4c0077cce94568122a5
SHA256

0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d
SHA512

be0921bb82ed7be3ff3546b7ca08120194d292e0202bef342b0f77ad5c752d333b4a5c7ba326876477173d0ed59ad9cdbca4c3fd63e4ef14e37166738c24dc59

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	216	svchost.exe
Token: SeCreatePagefilePrivilege	216	svchost.exe
Token: SeShutdownPrivilege	216	svchost.exe
Token: SeCreatePagefilePrivilege	216	svchost.exe
Token: SeShutdownPrivilege	216	svchost.exe
Token: SeCreatePagefilePrivilege	216	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d.exefondue.exe

description	pid	process	target process
PID 4736 wrote to memory of 4724	4736	0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d.exe	fondue.exe
PID 4736 wrote to memory of 4724	4736	0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d.exe	fondue.exe
PID 4736 wrote to memory of 4724	4736	0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d.exe	fondue.exe
PID 4724 wrote to memory of 1460	4724	fondue.exe	FonDUE.EXE
PID 4724 wrote to memory of 1460	4724	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d.exe
"C:\Users\Admin\AppData\Local\Temp\0e5b62b8c6b6a1912f1dcea659b5225ffa0b45f2814c931181a829c4ab23e29d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1460

memory/216-130-0x000002512AB30000-0x000002512AB40000-memory.dmp

Filesize
64KB

Download
memory/216-131-0x000002512AB90000-0x000002512ABA0000-memory.dmp

Filesize
64KB

Download
memory/216-132-0x000002512D880000-0x000002512D884000-memory.dmp

Filesize
16KB

Download