4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

General

Target

d5fce595b6cc51ed68e3090b624c716d.exe
Size

1.2MB
MD5

d5fce595b6cc51ed68e3090b624c716d
SHA1

49d091f52156fd2f7401026fc923f3d962326ce9
SHA256

4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9
SHA512

55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Score

8^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

fodhelper.exefodhelper.exefodhelper.exefodhelper.exe

pid process

1936 fodhelper.exe
1356 fodhelper.exe
940 fodhelper.exe
400 fodhelper.exe

pid	process
1936	fodhelper.exe
1356	fodhelper.exe
940	fodhelper.exe
400	fodhelper.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/652-58-0x00000000006A0000-0x00000000006C1000-memory.dmp	agile_net

Suspicious use of SetThreadContext 2 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exefodhelper.exe

description	pid	process	target process
PID 652 set thread context of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 1936 set thread context of 1356	1936	fodhelper.exe	fodhelper.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1744 schtasks.exe
1732 schtasks.exe

pid	process
1744	schtasks.exe
1732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exefodhelper.exefodhelper.exefodhelper.exe

pid	process
652	d5fce595b6cc51ed68e3090b624c716d.exe
652	d5fce595b6cc51ed68e3090b624c716d.exe
1936	fodhelper.exe
1936	fodhelper.exe
940	fodhelper.exe
400	fodhelper.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exefodhelper.exefodhelper.exefodhelper.exe

description	pid	process
Token: SeDebugPrivilege	652	d5fce595b6cc51ed68e3090b624c716d.exe
Token: SeDebugPrivilege	1936	fodhelper.exe
Token: SeDebugPrivilege	940	fodhelper.exe
Token: SeDebugPrivilege	400	fodhelper.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exed5fce595b6cc51ed68e3090b624c716d.exetaskeng.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 652 wrote to memory of 1088	652	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 1088 wrote to memory of 1744	1088	d5fce595b6cc51ed68e3090b624c716d.exe	schtasks.exe
PID 1088 wrote to memory of 1744	1088	d5fce595b6cc51ed68e3090b624c716d.exe	schtasks.exe
PID 1088 wrote to memory of 1744	1088	d5fce595b6cc51ed68e3090b624c716d.exe	schtasks.exe
PID 1088 wrote to memory of 1744	1088	d5fce595b6cc51ed68e3090b624c716d.exe	schtasks.exe
PID 1328 wrote to memory of 1936	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 1936	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 1936	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 1936	1328	taskeng.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1936 wrote to memory of 1356	1936	fodhelper.exe	fodhelper.exe
PID 1356 wrote to memory of 1732	1356	fodhelper.exe	schtasks.exe
PID 1356 wrote to memory of 1732	1356	fodhelper.exe	schtasks.exe
PID 1356 wrote to memory of 1732	1356	fodhelper.exe	schtasks.exe
PID 1356 wrote to memory of 1732	1356	fodhelper.exe	schtasks.exe
PID 1328 wrote to memory of 940	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 940	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 940	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 940	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 400	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 400	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 400	1328	taskeng.exe	fodhelper.exe
PID 1328 wrote to memory of 400	1328	taskeng.exe	fodhelper.exe

C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe
"C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe
"C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {11289D6A-6A73-41A6-9D21-3D30E5CF54C4} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
4⤵
- Creates scheduled task(s)
PID:1732

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
memory/400-103-0x0000000000000000-mapping.dmp

Download
memory/400-107-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/652-60-0x00000000004E0000-0x00000000004EB000-memory.dmp

Filesize
44KB

Download
memory/652-55-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/652-61-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/652-59-0x0000000004FE1000-0x0000000004FE2000-memory.dmp

Filesize
4KB

Download
memory/652-58-0x00000000006A0000-0x00000000006C1000-memory.dmp

Filesize
132KB

Download
memory/652-57-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/940-101-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/940-99-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/940-97-0x0000000000000000-mapping.dmp

Download
memory/1088-64-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1088-74-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1088-62-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1088-63-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1088-65-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1088-67-0x000000000040202B-mapping.dmp

Download
memory/1088-68-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1088-75-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1088-71-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1356-96-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1356-92-0x000000000040202B-mapping.dmp

Download
memory/1732-95-0x0000000000000000-mapping.dmp

Download
memory/1744-76-0x0000000000000000-mapping.dmp

Download
memory/1936-78-0x0000000000000000-mapping.dmp

Download
memory/1936-84-0x0000000004EB1000-0x0000000004EB2000-memory.dmp

Filesize
4KB

Download
memory/1936-82-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/1936-80-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads