e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38

General

Target

e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe
Size

3.4MB
MD5

150b4cbff742a0b51ec685437a7d3459
SHA1

f2f555a0417bb04f5a23cdb851304be9c9fdc8c5
SHA256

e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38
SHA512

fa51820907169072a063fffe9c179631da6324335c9a094bed77dfee96eb8c94df495b6cce5d2b4e96c2bad3b22dc1a53da356c53ed1ab49a73ee5c1f1a59a0f
SSDEEP

98304:qna5Gkonx+t5bHJmSwD2jCgQIr/84IVuTPYU:Ua5InxsjmTK+gQIjCwx

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesDocuments-type3.9.5.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesDocuments-type3.9.5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesDocuments-type3.9.5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesDocuments-type3.9.5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Executes dropped EXE 2 IoCs

pid	Process
3312	WindowsHolographicDevicesDocuments-type3.9.5.0.exe
4552	WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4188	icacls.exe
4064	icacls.exe
3724	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000002314d-149.dat	upx
behavioral1/files/0x000800000002314d-150.dat	upx
behavioral1/files/0x000800000002314d-151.dat	upx
behavioral1/memory/3312-153-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp	upx
behavioral1/memory/3312-154-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp	upx
behavioral1/memory/3312-155-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp	upx
behavioral1/files/0x000800000002314d-157.dat	upx
behavioral1/memory/4552-158-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp	upx
behavioral1/memory/4552-159-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp	upx
behavioral1/memory/4552-160-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesDocuments-type3.9.5.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 1488	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1160	1436	WerFault.exe	85
3028	1436	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1200	schtasks.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1488	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	89
PID 1436 wrote to memory of 1488	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	89
PID 1436 wrote to memory of 1488	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	89
PID 1436 wrote to memory of 1488	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	89
PID 1436 wrote to memory of 1488	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	89
PID 1436 wrote to memory of 1160	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	95
PID 1436 wrote to memory of 1160	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	95
PID 1436 wrote to memory of 1160	1436	e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe	95
PID 1488 wrote to memory of 4188	1488	AppLaunch.exe	97
PID 1488 wrote to memory of 4188	1488	AppLaunch.exe	97
PID 1488 wrote to memory of 4188	1488	AppLaunch.exe	97
PID 1488 wrote to memory of 4064	1488	AppLaunch.exe	98
PID 1488 wrote to memory of 4064	1488	AppLaunch.exe	98
PID 1488 wrote to memory of 4064	1488	AppLaunch.exe	98
PID 1488 wrote to memory of 3724	1488	AppLaunch.exe	99
PID 1488 wrote to memory of 3724	1488	AppLaunch.exe	99
PID 1488 wrote to memory of 3724	1488	AppLaunch.exe	99
PID 1488 wrote to memory of 1200	1488	AppLaunch.exe	103
PID 1488 wrote to memory of 1200	1488	AppLaunch.exe	103
PID 1488 wrote to memory of 1200	1488	AppLaunch.exe	103
PID 1488 wrote to memory of 3312	1488	AppLaunch.exe	105
PID 1488 wrote to memory of 3312	1488	AppLaunch.exe	105

C:\Users\Admin\AppData\Local\Temp\e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe
"C:\Users\Admin\AppData\Local\Temp\e688857ff8a34ba9a65f60948744f3fa2e1084b2f080ada0996b7ded50fcab38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4188
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4064
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3724
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0" /TR "C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:1200
- - C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe
    "C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 14036496
  2⤵
  - Program crash
  PID:1160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 14036496
  2⤵
  - Program crash
  PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1436 -ip 1436
1⤵
PID:3748

C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe
C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Filesize
482.0MB

MD5
6f751cf22bac39d101a2de2b633e50d8

SHA1
0b670142fc811e2845ac05c2a27cf5d6ca5ab7ac

SHA256
8be3681717a67d9f0823cd4712a9214f72532722c826948613c5e99dc7490803

SHA512
5ac10244d7a1ce9642fb97ac486a787ce18284cda2ba5448b5db2cb68c500d4f3be6ae2d0003b46494e62e421475ec83c5ed5fdcea4e95b1a4fa6aa0ce780af5

Download Submit
C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Filesize
520.6MB

MD5
15fa36be60d4d765fc28d86e5eaee93d

SHA1
3830da5f4bf9780963c6a8221ab8a3445c6f11d1

SHA256
f7611b827c1c32cd104152e17933b9f2965515b5f191e5f101438ace95f4a267

SHA512
de6b858a0ac1d577d2e5a6e371ed8d7a3381a3d05c3a0df6383aaed69baa186d2271607972630b6aec8b9a427c4d789380e6f4d68f838807e82aa6875e0b0448

Download Submit
C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Filesize
467.7MB

MD5
b6b19be03b6d6b83349a12eb5579e99f

SHA1
e01ddfd15cacac3f8d9881b0c928e8a895fff360

SHA256
28772e04ccd21e13bfe029acb9273107f32333ea0ac9603501f4b2a91900815c

SHA512
7e905f88f006e78ceaaa30dc81dc028ead8e206e5b4c8d446ab52213db96688c802fb6a3ed90f5e2ffae5e7cbc7ea837a743c2e65d05e61aff80cf2f4e668ddb

Download Submit
C:\ProgramData\WindowsHolographicDevicesDocuments-type3.9.5.0\WindowsHolographicDevicesDocuments-type3.9.5.0.exe

Filesize
393.4MB

MD5
e02b863ee32b51296e52b20163ad2e46

SHA1
5a6208afca653176b6ad324ea7f9d630d5d1b2a1

SHA256
bce5df857cc65150a385f8c48ba8ddeaefa99001eec37868fc9ab16281dc8bb1

SHA512
bea95030c1e92254d077a99de079545f5266e1e54ab3f5e908f86c125f2a7856f4e634053f3e129afa140bbbe2b41085d0eb36a3decb83737c8b7a3ea7c3aca6

Download Submit
memory/1488-141-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/1488-138-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/1488-143-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1488-144-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1488-133-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1488-140-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1488-139-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/1488-142-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3312-154-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp

Filesize
5.1MB

Download
memory/3312-155-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp

Filesize
5.1MB

Download
memory/3312-153-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp

Filesize
5.1MB

Download
memory/4552-158-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp

Filesize
5.1MB

Download
memory/4552-159-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp

Filesize
5.1MB

Download
memory/4552-160-0x00007FF67FB80000-0x00007FF68009F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads