34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e

Analysis

Target

34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e.exe
Size

556KB
MD5

6b985a83c7ab56fce81f4d2af6199137
SHA1

d5947f7bc0102627329b3396c05a5a88a7c571be
SHA256

34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e
SHA512

b7e3453cc5d475e15599cb4e8a7e3e01e10a286bbdd79fe434fd5622791f22cba6acf4131f0a3c8c0d6ec76a64054764f482d947cdabd8bb17790bda379d9dae

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4444	svchost.exe
Token: SeCreatePagefilePrivilege	4444	svchost.exe
Token: SeShutdownPrivilege	4444	svchost.exe
Token: SeCreatePagefilePrivilege	4444	svchost.exe
Token: SeShutdownPrivilege	4444	svchost.exe
Token: SeCreatePagefilePrivilege	4444	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e.exefondue.exe

description	pid	process	target process
PID 1436 wrote to memory of 4060	1436	34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e.exe	fondue.exe
PID 1436 wrote to memory of 4060	1436	34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e.exe	fondue.exe
PID 1436 wrote to memory of 4060	1436	34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e.exe	fondue.exe
PID 4060 wrote to memory of 4996	4060	fondue.exe	FonDUE.EXE
PID 4060 wrote to memory of 4996	4060	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e.exe
"C:\Users\Admin\AppData\Local\Temp\34209a4fd524cf3e04ddb98d4bcf1caa31e8395fb59e2b835d510009c4c1d35e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4996

memory/4444-130-0x000002A346D60000-0x000002A346D70000-memory.dmp

Filesize
64KB

Download
memory/4444-131-0x000002A347320000-0x000002A347330000-memory.dmp

Filesize
64KB

Download
memory/4444-132-0x000002A349990000-0x000002A349994000-memory.dmp

Filesize
16KB

Download