dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

General

Target

SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe
Size

1.4MB
MD5

b6bbab9f72c88d07b484cc339c475e75
SHA1

f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256

dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA512

1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
SSDEEP

24576:Y3621SZiNtNxkSJPXZi9aftdqkXO5pM7xUo1nZADHE2SDyuq5ZP+df:Y3dblkS5XZi9wdqlpMVUo1n+kbDzqbk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
676	fodhelper.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe
2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe
2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe
2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe
2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe
676	fodhelper.exe
676	fodhelper.exe
676	fodhelper.exe
676	fodhelper.exe
676	fodhelper.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2036	2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe	27
PID 2016 wrote to memory of 2036	2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe	27
PID 2016 wrote to memory of 2036	2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe	27
PID 2016 wrote to memory of 2036	2016	SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe	27
PID 1896 wrote to memory of 676	1896	taskeng.exe	30
PID 1896 wrote to memory of 676	1896	taskeng.exe	30
PID 1896 wrote to memory of 676	1896	taskeng.exe	30
PID 1896 wrote to memory of 676	1896	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop20.49709.30212.7740.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {15004B2C-3DDC-48CA-9F09-6EB39B206FC0} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
memory/676-75-0x00000000023D0000-0x000000000250D000-memory.dmp

Filesize
1.2MB

Download
memory/676-74-0x0000000001EC0000-0x00000000023C4000-memory.dmp

Filesize
5.0MB

Download
memory/676-73-0x00000000023D0000-0x000000000250D000-memory.dmp

Filesize
1.2MB

Download
memory/676-71-0x00000000023D0000-0x000000000250D000-memory.dmp

Filesize
1.2MB

Download
memory/676-70-0x0000000001EC0000-0x00000000023C4000-memory.dmp

Filesize
5.0MB

Download
memory/676-69-0x0000000001EC0000-0x00000000023C4000-memory.dmp

Filesize
5.0MB

Download
memory/2016-59-0x0000000002020000-0x0000000002524000-memory.dmp

Filesize
5.0MB

Download
memory/2016-65-0x00000000005E0000-0x000000000071D000-memory.dmp

Filesize
1.2MB

Download
memory/2016-62-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/2016-61-0x000000000BD90000-0x000000000BDE7000-memory.dmp

Filesize
348KB

Download
memory/2016-60-0x00000000005E0000-0x000000000071D000-memory.dmp

Filesize
1.2MB

Download
memory/2016-54-0x0000000002020000-0x0000000002524000-memory.dmp

Filesize
5.0MB

Download
memory/2016-58-0x00000000005E0000-0x000000000071D000-memory.dmp

Filesize
1.2MB

Download
memory/2016-57-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/2016-56-0x00000000005E0000-0x000000000071D000-memory.dmp

Filesize
1.2MB

Download
memory/2016-55-0x0000000002020000-0x0000000002524000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads