c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2

General

Target

c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe
Size

4.2MB
MD5

b45673557e32811931e1e1142e1a90a7
SHA1

43416f3b4b33e276d9f2eb7b68878713f1d6519c
SHA256

c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2
SHA512

fe37e470ac6dad452d281f023293afa5a6ca04a1981e44cf0ea10d39fe366ce865da12a1924c282ad40be2ab6d582ae86293f3a9e1ed1a89459b1786d80ea380
SSDEEP

49152:Rx28PbFFbDmcVY9yIsI/qaQjI6DpiRp5ZtCaMRka7eQxh+KDQy8YTc7cN6oe4C8C:OutKcm9yB4iIEiB2+a7eUkuC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2252	WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe
4980	WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4920	icacls.exe
2988	icacls.exe
4504	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 2112	4604	c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2248	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2112	4604	c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe	67
PID 4604 wrote to memory of 2112	4604	c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe	67
PID 4604 wrote to memory of 2112	4604	c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe	67
PID 4604 wrote to memory of 2112	4604	c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe	67
PID 4604 wrote to memory of 2112	4604	c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe	67
PID 2112 wrote to memory of 4920	2112	MSBuild.exe	68
PID 2112 wrote to memory of 4920	2112	MSBuild.exe	68
PID 2112 wrote to memory of 4920	2112	MSBuild.exe	68
PID 2112 wrote to memory of 2988	2112	MSBuild.exe	70
PID 2112 wrote to memory of 2988	2112	MSBuild.exe	70
PID 2112 wrote to memory of 2988	2112	MSBuild.exe	70
PID 2112 wrote to memory of 4504	2112	MSBuild.exe	72
PID 2112 wrote to memory of 4504	2112	MSBuild.exe	72
PID 2112 wrote to memory of 4504	2112	MSBuild.exe	72
PID 2112 wrote to memory of 2248	2112	MSBuild.exe	74
PID 2112 wrote to memory of 2248	2112	MSBuild.exe	74
PID 2112 wrote to memory of 2248	2112	MSBuild.exe	74
PID 2112 wrote to memory of 2252	2112	MSBuild.exe	75
PID 2112 wrote to memory of 2252	2112	MSBuild.exe	75

C:\Users\Admin\AppData\Local\Temp\c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe
"C:\Users\Admin\AppData\Local\Temp\c1464861a7f6349787776eb18c30c8e89830917918f75c73fb70144acb0f52c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4920
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2988
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4504
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0" /TR "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:2248
- - C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe
    "C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Executes dropped EXE
    PID:2252

C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe
C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe
1⤵
- Executes dropped EXE
PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe

Filesize
822.2MB

MD5
6c528d1e1808a058417a54a66a488826

SHA1
8355aca2eae06f8f668ae51310c881d2227aa701

SHA256
d7245cb4824c599032ecff4281ccbae8e670897c90b1d025922b0e5f6cf5f249

SHA512
13d0a3d8e256e1da267889035ef43dbf19f218f5c61cdf134e4d68eae5a7f204c287cec2932895c350a590d41ae3f0d73e01032d5cd9faadc320139a5607fd38

Download Submit
C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe

Filesize
829.2MB

MD5
a5c93f26128f973c3334cd1d0934e273

SHA1
2dfdb3213ebabd4667fe46d53c1830a175f0878c

SHA256
cb0b87d366e70824659fc73849a7aceb953516d69bf2ee4d87dc0422a74c27ee

SHA512
88f8be107e94f0422f2bd94b17b2c2f02fd22596bd05d5c82adb5a4121ccc86e34fbaa1cd067deaa4c45c95ecbeb6b7df4182b2e12eb044c513e8754374cc3a7

Download Submit
C:\ProgramData\WindowsHolographicDevicesUSOPrivate-type7.2.0.0\WindowsHolographicDevicesUSOPrivate-type7.2.0.0.exe

Filesize
406.7MB

MD5
532c90b06819f2b80149d8b6c62b41ef

SHA1
dc90ee87bdccb626824388a9af20248f32be1aad

SHA256
7c0fd516d642e683854eb9e5be702f3c5af7e33ef2e456497fbe5ae379512ada

SHA512
e15c9865d916235caafc2fdd0b074649b1b18a0d0c17815f0da9a3ee5428358d714e36d49f6601f9dc85a1d5bc6dc89709486cb4ae2444af306a40798ec5f48c

Download Submit
memory/2112-120-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/2112-125-0x0000000005CF0000-0x00000000061EE000-memory.dmp

Filesize
5.0MB

Download
memory/2112-126-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2112-127-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/2112-128-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2112-129-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2112-130-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads