2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045

Analysis

Target

2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045.exe
Size

552KB
MD5

c0a686a8264fc19fd5cbcb0ef4d98d94
SHA1

54ad12132dc9b1926c1a25cf932edd7978e3693d
SHA256

2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045
SHA512

7143ffe10e55a23cba9753b00a95a92e6603122557780ad5915ed4014866364cebbe1f0e65bb487bafc8607f5d170c76d0b6bcd463a7743f31dba405a6ce3d40

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2584	svchost.exe
Token: SeCreatePagefilePrivilege	2584	svchost.exe
Token: SeShutdownPrivilege	2584	svchost.exe
Token: SeCreatePagefilePrivilege	2584	svchost.exe
Token: SeShutdownPrivilege	2584	svchost.exe
Token: SeCreatePagefilePrivilege	2584	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045.exefondue.exe

description	pid	process	target process
PID 3568 wrote to memory of 4724	3568	2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045.exe	fondue.exe
PID 3568 wrote to memory of 4724	3568	2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045.exe	fondue.exe
PID 3568 wrote to memory of 4724	3568	2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045.exe	fondue.exe
PID 4724 wrote to memory of 1508	4724	fondue.exe	FonDUE.EXE
PID 4724 wrote to memory of 1508	4724	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045.exe
"C:\Users\Admin\AppData\Local\Temp\2dc7e356013f61274a47da50634143efd1067d0d19dc8003a056b2167ac27045.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1508

memory/2584-130-0x0000022BF4760000-0x0000022BF4770000-memory.dmp

Filesize
64KB

Download
memory/2584-131-0x0000022BF4D20000-0x0000022BF4D30000-memory.dmp

Filesize
64KB

Download
memory/2584-132-0x0000022BF73E0000-0x0000022BF73E4000-memory.dmp

Filesize
16KB

Download