697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

General

Target

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
Size

1.4MB
MD5

fa35e20372326e5c1e12607df198b5c4
SHA1

a022779cbf0fca54ef969c8a86be95083f9e128d
SHA256

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49
SHA512

c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Score

8^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

fodhelper.exefodhelper.exefodhelper.exefodhelper.exe

pid process

4172 fodhelper.exe
1056 fodhelper.exe
2044 fodhelper.exe
2936 fodhelper.exe

pid	process
4172	fodhelper.exe
1056	fodhelper.exe
2044	fodhelper.exe
2936	fodhelper.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3508-124-0x0000000005080000-0x00000000050A1000-memory.dmp	agile_net
behavioral1/memory/3508-127-0x0000000004AF0000-0x0000000004B8C000-memory.dmp	agile_net
behavioral1/memory/4172-145-0x0000000004C70000-0x000000000516E000-memory.dmp	agile_net

Suspicious use of SetThreadContext 2 IoCs

Processes:

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exefodhelper.exe

description	pid	process	target process
PID 3508 set thread context of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 4172 set thread context of 1056	4172	fodhelper.exe	fodhelper.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1176 schtasks.exe
4504 schtasks.exe

pid	process
1176	schtasks.exe
4504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exefodhelper.exefodhelper.exefodhelper.exe

pid	process
3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
4172	fodhelper.exe
4172	fodhelper.exe
2044	fodhelper.exe
2936	fodhelper.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exefodhelper.exefodhelper.exefodhelper.exe

description	pid	process
Token: SeDebugPrivilege	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
Token: SeDebugPrivilege	4172	fodhelper.exe
Token: SeDebugPrivilege	2044	fodhelper.exe
Token: SeDebugPrivilege	2936	fodhelper.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 3508 wrote to memory of 4432	3508	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
PID 4432 wrote to memory of 4504	4432	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	schtasks.exe
PID 4432 wrote to memory of 4504	4432	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	schtasks.exe
PID 4432 wrote to memory of 4504	4432	697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe	schtasks.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 4172 wrote to memory of 1056	4172	fodhelper.exe	fodhelper.exe
PID 1056 wrote to memory of 1176	1056	fodhelper.exe	schtasks.exe
PID 1056 wrote to memory of 1176	1056	fodhelper.exe	schtasks.exe
PID 1056 wrote to memory of 1176	1056	fodhelper.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
"C:\Users\Admin\AppData\Local\Temp\697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe
"C:\Users\Admin\AppData\Local\Temp\697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:4504

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fodhelper.exe.log
MD5
7648e852b0157b362b07766e0b5b355e

SHA1
6f9ac6e9d89842d38345fb83930d8c927cb44c69

SHA256
8dd14eb336757d783e47f36a98a4fe5c1314d93782907f538417265037819896

SHA512
849e5e18a2439b9a228395c5f92d1ff8111b84ca7e56f9c2ace3580d21ceee0f78f7e9836668970a401fcf2fa2d88ff9aa89935595f45302b6af88a4069138d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
fa35e20372326e5c1e12607df198b5c4

SHA1
a022779cbf0fca54ef969c8a86be95083f9e128d

SHA256
697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

SHA512
c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Download Submit
memory/1056-149-0x000000000040202B-mapping.dmp

Download
memory/1176-151-0x0000000000000000-mapping.dmp

Download
memory/2044-162-0x0000000005550000-0x0000000005A4E000-memory.dmp

Filesize
5.0MB

Download
memory/3508-124-0x0000000005080000-0x00000000050A1000-memory.dmp

Filesize
132KB

Download
memory/3508-129-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/3508-128-0x00000000064C0000-0x00000000064CB000-memory.dmp

Filesize
44KB

Download
memory/3508-127-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

Filesize
624KB

Download
memory/3508-126-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/3508-125-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/3508-123-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

Filesize
624KB

Download
memory/3508-122-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3508-121-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/3508-118-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3508-120-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4172-144-0x0000000004C70000-0x000000000516E000-memory.dmp

Filesize
5.0MB

Download
memory/4172-145-0x0000000004C70000-0x000000000516E000-memory.dmp

Filesize
5.0MB

Download
memory/4432-133-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4432-131-0x000000000040202B-mapping.dmp

Download
memory/4432-130-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4504-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads