31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9

Analysis

Target

31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9.exe
Size

552KB
MD5

cb1eba1748ba3d606088f4d6b7fa45bd
SHA1

b0f03512be3238ec54bfb855ede01875c8cad5c2
SHA256

31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9
SHA512

92a49660fb3ed4a00c357cbbad86976583ef40385ad4ee1ba511f19f75bae805916ccd4c5260c171942662d12f1f92908bff4639f0bdfd1cba8b287204dbd1af

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2432	svchost.exe
Token: SeCreatePagefilePrivilege	2432	svchost.exe
Token: SeShutdownPrivilege	2432	svchost.exe
Token: SeCreatePagefilePrivilege	2432	svchost.exe
Token: SeShutdownPrivilege	2432	svchost.exe
Token: SeCreatePagefilePrivilege	2432	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9.exefondue.exe

description	pid	process	target process
PID 2124 wrote to memory of 2596	2124	31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9.exe	fondue.exe
PID 2124 wrote to memory of 2596	2124	31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9.exe	fondue.exe
PID 2124 wrote to memory of 2596	2124	31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9.exe	fondue.exe
PID 2596 wrote to memory of 3584	2596	fondue.exe	FonDUE.EXE
PID 2596 wrote to memory of 3584	2596	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9.exe
"C:\Users\Admin\AppData\Local\Temp\31ec17c51090105ddc4553b8d721123ea238d07a2786e51c78256b8ce24b7cc9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:3584

memory/2432-132-0x0000020FE15C0000-0x0000020FE15D0000-memory.dmp

Filesize
64KB

Download
memory/2432-133-0x0000020FE1D60000-0x0000020FE1D70000-memory.dmp

Filesize
64KB

Download
memory/2432-134-0x0000020FE4980000-0x0000020FE4984000-memory.dmp

Filesize
16KB

Download