2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b

Analysis

Target

2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b.exe
Size

556KB
MD5

e277b405643efd19954c9d115ebf90ab
SHA1

c5f71abe990dd0db4595e727c9802252c0c69b4a
SHA256

2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b
SHA512

7c53fde7c2f8e10eba73aae846185ddfc90ac20fc41e20d8b5f01979dd4787f0d8fd6e596c2644611b25ceadf56204d0bf6e5e65ca16c683b8e021d5b75d9ee5

Score

4^/10

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1692	svchost.exe
Token: SeCreatePagefilePrivilege	1692	svchost.exe
Token: SeShutdownPrivilege	1692	svchost.exe
Token: SeCreatePagefilePrivilege	1692	svchost.exe
Token: SeShutdownPrivilege	1692	svchost.exe
Token: SeCreatePagefilePrivilege	1692	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b.exefondue.exe

description	pid	process	target process
PID 2136 wrote to memory of 2696	2136	2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b.exe	fondue.exe
PID 2136 wrote to memory of 2696	2136	2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b.exe	fondue.exe
PID 2136 wrote to memory of 2696	2136	2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b.exe	fondue.exe
PID 2696 wrote to memory of 4344	2696	fondue.exe	FonDUE.EXE
PID 2696 wrote to memory of 4344	2696	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b.exe
"C:\Users\Admin\AppData\Local\Temp\2d9c780e8c736e78f2831420e5a6dcafb1c0c1ac24570ac46c62521fe539a88b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4344

memory/1692-130-0x0000022C939A0000-0x0000022C939B0000-memory.dmp

Filesize
64KB

Download
memory/1692-131-0x0000022C94160000-0x0000022C94170000-memory.dmp

Filesize
64KB

Download
memory/1692-132-0x0000022C96D80000-0x0000022C96D84000-memory.dmp

Filesize
16KB

Download