697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

General

Target

fa35e20372326e5c1e12607df198b5c4.exe
Size

1.4MB
MD5

fa35e20372326e5c1e12607df198b5c4
SHA1

a022779cbf0fca54ef969c8a86be95083f9e128d
SHA256

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49
SHA512

c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Score

8^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

fodhelper.exefodhelper.exefodhelper.exefodhelper.exe

pid process

1524 fodhelper.exe
1760 fodhelper.exe
1116 fodhelper.exe
1844 fodhelper.exe

pid	process
1524	fodhelper.exe
1760	fodhelper.exe
1116	fodhelper.exe
1844	fodhelper.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/872-58-0x0000000000290000-0x00000000002B1000-memory.dmp	agile_net

Suspicious use of SetThreadContext 2 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exefodhelper.exe

description	pid	process	target process
PID 872 set thread context of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 1524 set thread context of 1760	1524	fodhelper.exe	fodhelper.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1828 schtasks.exe
1416 schtasks.exe

pid	process
1828	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exefodhelper.exefodhelper.exefodhelper.exe

pid	process
872	fa35e20372326e5c1e12607df198b5c4.exe
872	fa35e20372326e5c1e12607df198b5c4.exe
1524	fodhelper.exe
1524	fodhelper.exe
1116	fodhelper.exe
1844	fodhelper.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exefodhelper.exefodhelper.exefodhelper.exe

description	pid	process
Token: SeDebugPrivilege	872	fa35e20372326e5c1e12607df198b5c4.exe
Token: SeDebugPrivilege	1524	fodhelper.exe
Token: SeDebugPrivilege	1116	fodhelper.exe
Token: SeDebugPrivilege	1844	fodhelper.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exefa35e20372326e5c1e12607df198b5c4.exetaskeng.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 872 wrote to memory of 924	872	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 924 wrote to memory of 1828	924	fa35e20372326e5c1e12607df198b5c4.exe	schtasks.exe
PID 924 wrote to memory of 1828	924	fa35e20372326e5c1e12607df198b5c4.exe	schtasks.exe
PID 924 wrote to memory of 1828	924	fa35e20372326e5c1e12607df198b5c4.exe	schtasks.exe
PID 924 wrote to memory of 1828	924	fa35e20372326e5c1e12607df198b5c4.exe	schtasks.exe
PID 1544 wrote to memory of 1524	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1524	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1524	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1524	1544	taskeng.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1524 wrote to memory of 1760	1524	fodhelper.exe	fodhelper.exe
PID 1760 wrote to memory of 1416	1760	fodhelper.exe	schtasks.exe
PID 1760 wrote to memory of 1416	1760	fodhelper.exe	schtasks.exe
PID 1760 wrote to memory of 1416	1760	fodhelper.exe	schtasks.exe
PID 1760 wrote to memory of 1416	1760	fodhelper.exe	schtasks.exe
PID 1544 wrote to memory of 1116	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1116	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1116	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1116	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1844	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1844	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1844	1544	taskeng.exe	fodhelper.exe
PID 1544 wrote to memory of 1844	1544	taskeng.exe	fodhelper.exe

C:\Users\Admin\AppData\Local\Temp\fa35e20372326e5c1e12607df198b5c4.exe
"C:\Users\Admin\AppData\Local\Temp\fa35e20372326e5c1e12607df198b5c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\fa35e20372326e5c1e12607df198b5c4.exe
"C:\Users\Admin\AppData\Local\Temp\fa35e20372326e5c1e12607df198b5c4.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\taskeng.exe
taskeng.exe {B72C564D-A515-4C9E-9CDE-764D5B76234C} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
4⤵
- Creates scheduled task(s)
PID:1416

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
memory/872-55-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/872-57-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/872-58-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/872-59-0x0000000000611000-0x0000000000612000-memory.dmp

Filesize
4KB

Download
memory/872-60-0x00000000004C0000-0x00000000004CB000-memory.dmp

Filesize
44KB

Download
memory/872-61-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/924-70-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/924-62-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/924-67-0x000000000040202B-mapping.dmp

Download
memory/924-66-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/924-68-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/924-65-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/924-63-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/924-64-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1116-94-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1116-92-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1116-90-0x0000000000000000-mapping.dmp

Download
memory/1416-89-0x0000000000000000-mapping.dmp

Download
memory/1524-72-0x0000000000000000-mapping.dmp

Download
memory/1524-78-0x0000000004F11000-0x0000000004F12000-memory.dmp

Filesize
4KB

Download
memory/1524-76-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/1524-74-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1760-86-0x000000000040202B-mapping.dmp

Download
memory/1828-69-0x0000000000000000-mapping.dmp

Download
memory/1844-96-0x0000000000000000-mapping.dmp

Download
memory/1844-100-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads