8cf5578512d3b81654a1376a336b5fa99b5b86ea8fcb0754cd9820b4e1f64494

General

Target

aa3b423ab17bbaa6c323ec8ecf686256.exe
Size

1.3MB
MD5

aa3b423ab17bbaa6c323ec8ecf686256
SHA1

c9708425538ac206bcffad00646275c4aced0630
SHA256

8cf5578512d3b81654a1376a336b5fa99b5b86ea8fcb0754cd9820b4e1f64494
SHA512

9450a8ca302502636c6f32c57bbef252eb08aa6838ce0ddc27e2ac944459aa35104a40a8cf353c796c8122386dbcd60863db01a5ea772eae5cb202a806e764ec

Score

8^/10

agilenet persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

WINAPIUPD.exeWINAPIUPD.exefodhelper.exefodhelper.exefodhelper.exe

pid process

4052 WINAPIUPD.exe
3304 WINAPIUPD.exe
3352 fodhelper.exe
1188 fodhelper.exe
3784 fodhelper.exe

pid	process
4052	WINAPIUPD.exe
3304	WINAPIUPD.exe
3352	fodhelper.exe
1188	fodhelper.exe
3784	fodhelper.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4052-127-0x0000000005D90000-0x0000000005DB1000-memory.dmp	agile_net
behavioral2/memory/4052-130-0x0000000004C20000-0x000000000511E000-memory.dmp	agile_net
behavioral2/memory/3352-148-0x0000000004A40000-0x0000000004ADC000-memory.dmp	agile_net
behavioral2/memory/3352-149-0x0000000004A40000-0x0000000004ADC000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aa3b423ab17bbaa6c323ec8ecf686256.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	aa3b423ab17bbaa6c323ec8ecf686256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aa3b423ab17bbaa6c323ec8ecf686256.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

WINAPIUPD.exefodhelper.exe

description	pid	process	target process
PID 4052 set thread context of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 3352 set thread context of 1188	3352	fodhelper.exe	fodhelper.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3204 schtasks.exe
1496 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WINAPIUPD.exefodhelper.exe

pid process

4052 WINAPIUPD.exe
4052 WINAPIUPD.exe
3352 fodhelper.exe
3352 fodhelper.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WINAPIUPD.exefodhelper.exefodhelper.exe

description pid process

Token: SeDebugPrivilege 4052 WINAPIUPD.exe
Token: SeDebugPrivilege 3352 fodhelper.exe
Token: SeDebugPrivilege 3784 fodhelper.exe

pid	process
3204	schtasks.exe
1496	schtasks.exe

pid	process
4052	WINAPIUPD.exe
4052	WINAPIUPD.exe
3352	fodhelper.exe
3352	fodhelper.exe

description	pid	process
Token: SeDebugPrivilege	4052	WINAPIUPD.exe
Token: SeDebugPrivilege	3352	fodhelper.exe
Token: SeDebugPrivilege	3784	fodhelper.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

aa3b423ab17bbaa6c323ec8ecf686256.exeWINAPIUPD.exeWINAPIUPD.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 4024 wrote to memory of 4052	4024	aa3b423ab17bbaa6c323ec8ecf686256.exe	WINAPIUPD.exe
PID 4024 wrote to memory of 4052	4024	aa3b423ab17bbaa6c323ec8ecf686256.exe	WINAPIUPD.exe
PID 4024 wrote to memory of 4052	4024	aa3b423ab17bbaa6c323ec8ecf686256.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 4052 wrote to memory of 3304	4052	WINAPIUPD.exe	WINAPIUPD.exe
PID 3304 wrote to memory of 3204	3304	WINAPIUPD.exe	schtasks.exe
PID 3304 wrote to memory of 3204	3304	WINAPIUPD.exe	schtasks.exe
PID 3304 wrote to memory of 3204	3304	WINAPIUPD.exe	schtasks.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 3352 wrote to memory of 1188	3352	fodhelper.exe	fodhelper.exe
PID 1188 wrote to memory of 1496	1188	fodhelper.exe	schtasks.exe
PID 1188 wrote to memory of 1496	1188	fodhelper.exe	schtasks.exe
PID 1188 wrote to memory of 1496	1188	fodhelper.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\aa3b423ab17bbaa6c323ec8ecf686256.exe
"C:\Users\Admin\AppData\Local\Temp\aa3b423ab17bbaa6c323ec8ecf686256.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINAPIUPD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINAPIUPD.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINAPIUPD.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINAPIUPD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
4⤵
- Creates scheduled task(s)
PID:3204

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:1496

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fodhelper.exe.log
MD5
009b86ab4020fc209c5914515b3aff93

SHA1
780cabb26fba207e4de8a78a89092b5b681d3ef9

SHA256
f866c5c64134450a52ec440545e84269cef199217fb61a640d79c17c5126c951

SHA512
9837fb25e9a72ca4397bef8eb72d0f2820deebfa79b81771ea071a0e853330bc791714795e2096704523b3bdc1a914632b86ae311182c12bcc4d93eb0de0b408

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINAPIUPD.exe
MD5
6d8507a187a3b78bc720c0e2f594dffe

SHA1
c3107cbc411a881836fb744ff733e0f9f176f546

SHA256
a80b8dcb3c387ea834bac9b8c3d1d7ae5f0622ef639527a45bbe3171b85939be

SHA512
e0afb9f553bafec4fe51e0d30b70e5a9dd1a7e7c106005122ffb08230f37b682c3e5e92dcd38493be66c84986aeecd9bd1f46a124e4f9b33cfb5e10f8a8141bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINAPIUPD.exe
MD5
6d8507a187a3b78bc720c0e2f594dffe

SHA1
c3107cbc411a881836fb744ff733e0f9f176f546

SHA256
a80b8dcb3c387ea834bac9b8c3d1d7ae5f0622ef639527a45bbe3171b85939be

SHA512
e0afb9f553bafec4fe51e0d30b70e5a9dd1a7e7c106005122ffb08230f37b682c3e5e92dcd38493be66c84986aeecd9bd1f46a124e4f9b33cfb5e10f8a8141bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINAPIUPD.exe
MD5
e7e6cdf6abf16a34544b3f2b9420df56

SHA1
fa2bdae8e533bba5aefb94614b213e65dee74dc5

SHA256
d66bb17c04414db9a1f2536dbd4a1a14a4a83989b9cb96e37acfbc2c02d24625

SHA512
b35064431b86149ea042619a82bf8a1af26690cce130737781ccb8155eb68e4cb7984cde12742d476c33b073fcfeb399118c79885b44e228229d5b20c53676d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
13ae456a166ebe1b4ef1321ebbd9d9db

SHA1
b66e281782ade591177b28e9e71c071faf2b802b

SHA256
fa471662bc496242ab544b6f5f928ac0892b1a38ff161c6ba9818469af8aa284

SHA512
1d428f39c94003e0de3eda833abef9200cd7200f7c8725a62f06d5ac3da4490b03b0daf14684c9b9f88947a50c241210701104164f0c7889d70ebaa08feb2d63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
5b7af85627699e825596c129e4a73ae5

SHA1
30553be7ce259db824b20b417d8967861dbbaf56

SHA256
72c05f3f90e257a29dd056b2527327fd41df2f07e0ab969801bb43bee8cb4322

SHA512
0556db8ccb2670ba6cd2b3931cf2d3afdee0eff78e41a3c8ead7065b605eb4e1afa4e2f5ac6aee1128696c6e3f9b93ae43cdc7d90f92dbf8a6fcba4dab7809d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
6c06e51112bbce23cd79f539105767a6

SHA1
9a62b7030e3a80bf0f4cdeccb08ba045dba5ef7a

SHA256
927320396924e24d9dae31ee1abc6cc4df3f177370173e53526e2874e6baa60a

SHA512
cc28978b7c4257f1a0031808e92612756d6203fe039e757ea33c01b5cc1ef59b99c6de11baf96598a77ddc8a81cd5ab08ee610920b3e55c09ece0b5c63cb2d41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
cab1f6e8d821b8996e264a9cb57a9867

SHA1
ad83d38b2e985834465bb2a83cff3c9e424e318a

SHA256
d06c934cc43202b0e011fed6b022b77b371b8aa0073535068cf23db0dfac8e43

SHA512
05fee20a38d40a34466a4c997df3850267b8b4229fcaa1b480934ddd9091e14a2e9cb5cd021deffe558683037674cd606e215049f95d56ac454c772ba8580993

Download Submit
memory/1188-153-0x000000000040202B-mapping.dmp

Download
memory/1496-155-0x0000000000000000-mapping.dmp

Download
memory/3204-137-0x0000000000000000-mapping.dmp

Download
memory/3304-136-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3304-133-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3304-134-0x000000000040202B-mapping.dmp

Download
memory/3352-148-0x0000000004A40000-0x0000000004ADC000-memory.dmp

Filesize
624KB

Download
memory/3352-149-0x0000000004A40000-0x0000000004ADC000-memory.dmp

Filesize
624KB

Download
memory/4052-126-0x0000000004C20000-0x000000000511E000-memory.dmp

Filesize
5.0MB

Download
memory/4052-130-0x0000000004C20000-0x000000000511E000-memory.dmp

Filesize
5.0MB

Download
memory/4052-129-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/4052-128-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/4052-127-0x0000000005D90000-0x0000000005DB1000-memory.dmp

Filesize
132KB

Download
memory/4052-132-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/4052-131-0x0000000006090000-0x000000000609B000-memory.dmp

Filesize
44KB

Download
memory/4052-125-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4052-124-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4052-123-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4052-121-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/4052-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads