4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

General

Target

d5fce595b6cc51ed68e3090b624c716d.exe
Size

1.2MB
MD5

d5fce595b6cc51ed68e3090b624c716d
SHA1

49d091f52156fd2f7401026fc923f3d962326ce9
SHA256

4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9
SHA512

55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Score

8^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

fodhelper.exefodhelper.exefodhelper.exe

pid process

400 fodhelper.exe
3372 fodhelper.exe
2076 fodhelper.exe

pid	process
400	fodhelper.exe
3372	fodhelper.exe
2076	fodhelper.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2800-121-0x0000000005850000-0x0000000005871000-memory.dmp	agile_net
behavioral2/memory/2800-124-0x00000000055E0000-0x0000000005ADE000-memory.dmp	agile_net
behavioral2/memory/400-141-0x0000000004CC0000-0x0000000004D52000-memory.dmp	agile_net

Suspicious use of SetThreadContext 2 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exefodhelper.exe

description	pid	process	target process
PID 2800 set thread context of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 400 set thread context of 3372	400	fodhelper.exe	fodhelper.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2940 schtasks.exe
1444 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exefodhelper.exefodhelper.exe

pid process

2800 d5fce595b6cc51ed68e3090b624c716d.exe
2800 d5fce595b6cc51ed68e3090b624c716d.exe
400 fodhelper.exe
400 fodhelper.exe
2076 fodhelper.exe

pid	process
2940	schtasks.exe
1444	schtasks.exe

pid	process
2800	d5fce595b6cc51ed68e3090b624c716d.exe
2800	d5fce595b6cc51ed68e3090b624c716d.exe
400	fodhelper.exe
400	fodhelper.exe
2076	fodhelper.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exefodhelper.exefodhelper.exe

description	pid	process
Token: SeDebugPrivilege	2800	d5fce595b6cc51ed68e3090b624c716d.exe
Token: SeDebugPrivilege	400	fodhelper.exe
Token: SeDebugPrivilege	2076	fodhelper.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d5fce595b6cc51ed68e3090b624c716d.exed5fce595b6cc51ed68e3090b624c716d.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 2800 wrote to memory of 1412	2800	d5fce595b6cc51ed68e3090b624c716d.exe	d5fce595b6cc51ed68e3090b624c716d.exe
PID 1412 wrote to memory of 2940	1412	d5fce595b6cc51ed68e3090b624c716d.exe	schtasks.exe
PID 1412 wrote to memory of 2940	1412	d5fce595b6cc51ed68e3090b624c716d.exe	schtasks.exe
PID 1412 wrote to memory of 2940	1412	d5fce595b6cc51ed68e3090b624c716d.exe	schtasks.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 400 wrote to memory of 3372	400	fodhelper.exe	fodhelper.exe
PID 3372 wrote to memory of 1444	3372	fodhelper.exe	schtasks.exe
PID 3372 wrote to memory of 1444	3372	fodhelper.exe	schtasks.exe
PID 3372 wrote to memory of 1444	3372	fodhelper.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe
"C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe
"C:\Users\Admin\AppData\Local\Temp\d5fce595b6cc51ed68e3090b624c716d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:2940

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:1444

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fodhelper.exe.log
MD5
7648e852b0157b362b07766e0b5b355e

SHA1
6f9ac6e9d89842d38345fb83930d8c927cb44c69

SHA256
8dd14eb336757d783e47f36a98a4fe5c1314d93782907f538417265037819896

SHA512
849e5e18a2439b9a228395c5f92d1ff8111b84ca7e56f9c2ace3580d21ceee0f78f7e9836668970a401fcf2fa2d88ff9aa89935595f45302b6af88a4069138d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
d5fce595b6cc51ed68e3090b624c716d

SHA1
49d091f52156fd2f7401026fc923f3d962326ce9

SHA256
4b89c6621588d5974b419f6aa7610ac8df584564a52a8555d32e190bc4f089f9

SHA512
55d849fa1de305af3e62597401f75ca771f7f720b53e700ea4d660445ba46fd5309138592d51be929cb3bf8a76d795d71ba95c920029eacf64a80651f9b8f84b

Download Submit
memory/400-141-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/400-142-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/1412-128-0x000000000040202B-mapping.dmp

Download
memory/1412-130-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1412-127-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1444-148-0x0000000000000000-mapping.dmp

Download
memory/2076-159-0x00000000053A0000-0x000000000589E000-memory.dmp

Filesize
5.0MB

Download
memory/2800-122-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/2800-115-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2800-123-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/2800-124-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/2800-121-0x0000000005850000-0x0000000005871000-memory.dmp

Filesize
132KB

Download
memory/2800-120-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/2800-119-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2800-126-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download
memory/2800-118-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2800-117-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/2800-125-0x0000000007040000-0x000000000704B000-memory.dmp

Filesize
44KB

Download
memory/2940-129-0x0000000000000000-mapping.dmp

Download
memory/3372-146-0x000000000040202B-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads