321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d

Analysis

Target

321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d.exe
Size

552KB
MD5

0cd71e952a86a50e14556e70201e39d6
SHA1

47c78e13cd8b8225e53032ae21e63763f9f642c7
SHA256

321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d
SHA512

11edf1184644fb8f12f356bacdec13d0979d2b4345aec7e5843197621d189108ebb4d812677eb60a7f8d99ee6ef139927f9e47900226f7f2e4382c06f76262ef

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	952	svchost.exe
Token: SeCreatePagefilePrivilege	952	svchost.exe
Token: SeShutdownPrivilege	952	svchost.exe
Token: SeCreatePagefilePrivilege	952	svchost.exe
Token: SeShutdownPrivilege	952	svchost.exe
Token: SeCreatePagefilePrivilege	952	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d.exefondue.exe

description	pid	process	target process
PID 860 wrote to memory of 1940	860	321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d.exe	fondue.exe
PID 860 wrote to memory of 1940	860	321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d.exe	fondue.exe
PID 860 wrote to memory of 1940	860	321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d.exe	fondue.exe
PID 1940 wrote to memory of 2992	1940	fondue.exe	FonDUE.EXE
PID 1940 wrote to memory of 2992	1940	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d.exe
"C:\Users\Admin\AppData\Local\Temp\321e95575df9f4ca9858be38ee35156773aba82f4f57b0b4539a561f1e3fa95d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:2992

memory/952-130-0x0000021A70390000-0x0000021A703A0000-memory.dmp

Filesize
64KB

Download
memory/952-131-0x0000021A70B60000-0x0000021A70B70000-memory.dmp

Filesize
64KB

Download
memory/952-132-0x0000021A73770000-0x0000021A73774000-memory.dmp

Filesize
16KB

Download