a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192

General

Target

a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe
Size

4.2MB
MD5

d91eee6ebeafa7ec4a854d627eeeaa34
SHA1

0aaf948ae2fe89b80d8b665942665765c01ce989
SHA256

a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192
SHA512

359f4ba52c9341c9c5da3b9afdad7008069efdf0d279bc96b9468cc7578b5db421a98e2a6601a614634829642c2a1e5a008652ee5aef0efa65dbc563b757dbc0
SSDEEP

98304:XkEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthw:URG4sskf38s7MjJeVYT69id+VbaMc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4712	WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe
1180	WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2120	icacls.exe
3924	icacls.exe
4720	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 3772	2984	a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2736	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3772	2984	a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe	67
PID 2984 wrote to memory of 3772	2984	a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe	67
PID 2984 wrote to memory of 3772	2984	a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe	67
PID 2984 wrote to memory of 3772	2984	a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe	67
PID 2984 wrote to memory of 3772	2984	a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe	67
PID 3772 wrote to memory of 2120	3772	AppLaunch.exe	68
PID 3772 wrote to memory of 2120	3772	AppLaunch.exe	68
PID 3772 wrote to memory of 2120	3772	AppLaunch.exe	68
PID 3772 wrote to memory of 3924	3772	AppLaunch.exe	70
PID 3772 wrote to memory of 3924	3772	AppLaunch.exe	70
PID 3772 wrote to memory of 3924	3772	AppLaunch.exe	70
PID 3772 wrote to memory of 4720	3772	AppLaunch.exe	72
PID 3772 wrote to memory of 4720	3772	AppLaunch.exe	72
PID 3772 wrote to memory of 4720	3772	AppLaunch.exe	72
PID 3772 wrote to memory of 2736	3772	AppLaunch.exe	74
PID 3772 wrote to memory of 2736	3772	AppLaunch.exe	74
PID 3772 wrote to memory of 2736	3772	AppLaunch.exe	74
PID 3772 wrote to memory of 4712	3772	AppLaunch.exe	76
PID 3772 wrote to memory of 4712	3772	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe
"C:\Users\Admin\AppData\Local\Temp\a7c66e0cf0f6f7538a789d9dcb67d0bafa168386a2b623185305ffa41a18a192.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2120
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3924
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4720
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0" /TR "C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:2736
- - C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe
    "C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:4712

C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe
C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe
1⤵
- Executes dropped EXE
PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe

Filesize
613.6MB

MD5
fd500577a7584dc80c55ed16477c55b5

SHA1
3dfa6c09acae2cc6a2af64fabe00f39d7d402328

SHA256
07ee9e48eb13d8f8ac919bb760e14b42e7743ba5d40cddf81c47358e0f60178c

SHA512
7a29165dd18de0362dfcc6449625e8f51d464c77e7a15c76fb309ea9f56c1a15ae61ee967ceec5e103cb73a53a7286cb0dc47055111053ab594174347b63a9b4

Download Submit
C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe

Filesize
662.7MB

MD5
c8f1726ce4953ddb3a6dc299859b8863

SHA1
d0bc5e51c5af9f90f22ed378fcc0451f1d422341

SHA256
83518736083b825c8e66c989271b845f515adbece2a4d795049dd02585b998e4

SHA512
0d49a35c91f0ef8bf1561abe25b3ac54d7d8429f078e019692fd16040ef17a733c65732a3e34b73185db978add55e2cae82602bdc7c688f3687c07865fe4c988

Download Submit
C:\ProgramData\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0\WindowsHolographicDevicesregid.1991-06.com.microsoft-type2.2.0.0.exe

Filesize
329.2MB

MD5
a0ad2e57ce1015067829ae939a8a78a4

SHA1
0c8ab7e2f6e0d119a6e0e8b0a548faab0a709e72

SHA256
9d6fc6bd7c811bd599c18c6e7d705399d9b445aa841c870236f8e804efc9da40

SHA512
f8bf884914fccd98648f02269e019d631d403369c92f17baa482f548df5629c2296f8ba66a5f92dd1d8721fb9f38ce2f1dbaaa091d6d57fc3d101cfed6e090df

Download Submit
memory/3772-119-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/3772-126-0x0000000009A60000-0x0000000009F5E000-memory.dmp

Filesize
5.0MB

Download
memory/3772-127-0x0000000009600000-0x0000000009692000-memory.dmp

Filesize
584KB

Download
memory/3772-128-0x00000000095F0000-0x00000000095FA000-memory.dmp

Filesize
40KB

Download
memory/3772-129-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/3772-130-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/3772-131-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/3772-132-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads