8dd97dc341e72b4830a7375c3e51de56ac35b91a31498d2dbeba929846d6129e | Triage

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
21-02-2022 11:06

Sharing

Report Analysis Logs

General

Target

NDt93WWQwd089H7.exe
Size

1.3MB
MD5

0f330f518f4f71f0735cce4eaf1612d7
SHA1

f34909417588543112974ebbc0fa8236a8a604c1
SHA256

702554b4a0770d70bd5972318d2294ef2b26001595b574d122264b8c1793457c
SHA512

ee5ec83814a64c56bdfdaec885396c86364ccf5bd7eaa25b3bdd2c43c6a8c7427bdf2a7514a7c0043294cdf7c9b89699a818ca65d5e4ef6f5d04c0de94597db3

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2976	svchost.exe
Token: SeCreatePagefilePrivilege	2976	svchost.exe
Token: SeShutdownPrivilege	2976	svchost.exe
Token: SeCreatePagefilePrivilege	2976	svchost.exe
Token: SeShutdownPrivilege	2976	svchost.exe
Token: SeCreatePagefilePrivilege	2976	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

NDt93WWQwd089H7.exefondue.exe

description	pid	process	target process
PID 4472 wrote to memory of 4476	4472	NDt93WWQwd089H7.exe	fondue.exe
PID 4472 wrote to memory of 4476	4472	NDt93WWQwd089H7.exe	fondue.exe
PID 4472 wrote to memory of 4476	4472	NDt93WWQwd089H7.exe	fondue.exe
PID 4476 wrote to memory of 4680	4476	fondue.exe	FonDUE.EXE
PID 4476 wrote to memory of 4680	4476	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\NDt93WWQwd089H7.exe
"C:\Users\Admin\AppData\Local\Temp\NDt93WWQwd089H7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-130-0x000001DB3E740000-0x000001DB3E750000-memory.dmp

Filesize
64KB

Download
memory/2976-131-0x000001DB3E7A0000-0x000001DB3E7B0000-memory.dmp

Filesize
64KB

Download
memory/2976-132-0x000001DB414C0000-0x000001DB414C4000-memory.dmp

Filesize
16KB

Download