1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2023, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe
Size

4.4MB
MD5

c19cfcf4c78f21a89ce0c3475a7123a1
SHA1

6ad14dcbbf540fe858b383114a9a7e3971d1e2b7
SHA256

1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a
SHA512

964c709beef9b8b72f1148510f0c92d94e8c0000a18c94e01a551c4811a2776874a17484163158f93e5706eedaa9dce9a7d920004d434e30734af38433690dfc
SSDEEP

98304:E46m3lOTN+F/VmxNhHQ849d15jLWdWyYC2yOMnIcDC:E46lN+ZVmxNhk1FWjYVPMnId

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3804	WindowsHolographicDevicesMicrosoft-Type9.7.9.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHolographicDevicesMicrosoft-Type9.7.9.2 = "C:\\ProgramData\\WindowsHolographicDevicesMicrosoft-Type9.7.9.2\\WindowsHolographicDevicesMicrosoft-Type9.7.9.2.exe"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 3612	2132	1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe	87

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3612	2132	1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe	87
PID 2132 wrote to memory of 3612	2132	1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe	87
PID 2132 wrote to memory of 3612	2132	1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe	87
PID 2132 wrote to memory of 3612	2132	1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe	87
PID 2132 wrote to memory of 3612	2132	1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe	87
PID 3612 wrote to memory of 3804	3612	AppLaunch.exe	95
PID 3612 wrote to memory of 3804	3612	AppLaunch.exe	95

C:\Users\Admin\AppData\Local\Temp\1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe
"C:\Users\Admin\AppData\Local\Temp\1e2a1ba90a1f38d6fdb81d790399fc2b8f5c175825b4e0ab8a5760a730386c7a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\ProgramData\WindowsHolographicDevicesMicrosoft-Type9.7.9.2\WindowsHolographicDevicesMicrosoft-Type9.7.9.2.exe
    "C:\ProgramData\WindowsHolographicDevicesMicrosoft-Type9.7.9.2\WindowsHolographicDevicesMicrosoft-Type9.7.9.2.exe"
    3⤵
    - Executes dropped EXE
    PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesMicrosoft-Type9.7.9.2\WindowsHolographicDevicesMicrosoft-Type9.7.9.2.exe

Filesize
515.1MB

MD5
3638fb2941a2c582d0be6b7b9dd7ff6f

SHA1
843a8bc27d7ad9bf8bb6a79767f3f778ab4eba1d

SHA256
7eb5a1a44d14611b73d5f4ac5bf170f1989124c5286ddebeb83beb6eb4497e63

SHA512
f4bd72bfad38e35f1d5d7b69a8299c732474f482408b6025706097cbc9c33c9f658e72f0fa8b2aaa7c7894892604a33a73fe95488fed8900713e9b4df3da2d97

Download Submit
C:\ProgramData\WindowsHolographicDevicesMicrosoft-Type9.7.9.2\WindowsHolographicDevicesMicrosoft-Type9.7.9.2.exe

Filesize
437.9MB

MD5
0ec916f15b9ee78c61e2e9cc8ab67c0f

SHA1
536726eb6c077afdc229ea321b16a0de86e12db1

SHA256
f37fe210795c109ee40af156072ba5f595626d3f2f84be2c8ece103f71853f23

SHA512
a1dcb892360de4c8149a5f5a2d4bd2c56768655a631cbcd5c43b206529a778244c00d3cbd9a026392eecd46c36994636983cffdfc1ee22cc3f60339dbe1c8a7d

Download Submit
C:\ProgramData\WindowsHolographicDevicesMicrosoft-Type9.7.9.2\WindowsHolographicDevicesMicrosoft-Type9.7.9.2.exe

Filesize
516.0MB

MD5
f3d9511fbd8b38a7552a71320ef489ec

SHA1
6b084321d497de342ab1b460286d78cf88599e67

SHA256
3f674382a06f99837cccf584c0c169170959ef171638d821240ecba27881b8de

SHA512
97e16a488f2b3dbdc769837767e57e2f3e05f401012a3ec08696b8852363a38ff493e9dcc85432e9f05c766c42b46942420a883284d08ee657f76477f3f4c778

Download Submit
memory/3612-134-0x0000000000600000-0x0000000000A5C000-memory.dmp

Filesize
4.4MB

Download
memory/3612-139-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/3612-140-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/3612-141-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/3612-142-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3612-143-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3612-144-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3612-145-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download