37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec

General

Target

37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe
Size

3.4MB
MD5

d9ec59dc2b480fd37139f08cce7fed33
SHA1

25e896392964466e54159e5b9678cf69c134aa24
SHA256

37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec
SHA512

222842ff347e0572cd81770a207c6400d27d56c03335e2f1ba963af25bca58ecdec690b599f871c2a2e8d7699fb28e7d8aaeca3c576d8dcde57396732f9eaa04
SSDEEP

49152:Jr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVlo5:CKvfd94XayMT5sH9M0aS8o9uWyUhHyY

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe

Executes dropped EXE 2 IoCs

pid	Process
3504	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
4740	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2432	icacls.exe
3592	icacls.exe
2800	icacls.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001af1e-148.dat	upx
behavioral2/files/0x000900000001af1e-149.dat	upx
behavioral2/memory/3504-151-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/3504-153-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/3504-154-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/3504-155-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/3504-156-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/files/0x000900000001af1e-157.dat	upx
behavioral2/memory/4740-158-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/4740-159-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/4740-160-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/4740-161-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/4740-162-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx
behavioral2/memory/4740-163-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 2940	2436	37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4664	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2940	2436	37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe	67
PID 2436 wrote to memory of 2940	2436	37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe	67
PID 2436 wrote to memory of 2940	2436	37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe	67
PID 2436 wrote to memory of 2940	2436	37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe	67
PID 2436 wrote to memory of 2940	2436	37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe	67
PID 2940 wrote to memory of 2800	2940	AppLaunch.exe	68
PID 2940 wrote to memory of 2800	2940	AppLaunch.exe	68
PID 2940 wrote to memory of 2800	2940	AppLaunch.exe	68
PID 2940 wrote to memory of 2432	2940	AppLaunch.exe	70
PID 2940 wrote to memory of 2432	2940	AppLaunch.exe	70
PID 2940 wrote to memory of 2432	2940	AppLaunch.exe	70
PID 2940 wrote to memory of 3592	2940	AppLaunch.exe	71
PID 2940 wrote to memory of 3592	2940	AppLaunch.exe	71
PID 2940 wrote to memory of 3592	2940	AppLaunch.exe	71
PID 2940 wrote to memory of 4664	2940	AppLaunch.exe	73
PID 2940 wrote to memory of 4664	2940	AppLaunch.exe	73
PID 2940 wrote to memory of 4664	2940	AppLaunch.exe	73
PID 2940 wrote to memory of 3504	2940	AppLaunch.exe	76
PID 2940 wrote to memory of 3504	2940	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe
"C:\Users\Admin\AppData\Local\Temp\37b3ea1526a83ea5f65ae24d0d5cc180d4f21d1d8e8114e8eaa5b9f6577423ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2800
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2432
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3592
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3" /TR "C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4664
- - C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
    "C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3504

C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe

Filesize
198.9MB

MD5
840846d7f6e3e6e27df6128b7a8f666d

SHA1
fdaad130470558f002176c9d4393333420ad052f

SHA256
d4851c937e962c89bfc86d4b181501638b762137f6c15b1ddfb85f8eb0344219

SHA512
1b0f9ac6bad2d48209054a5db000d64d6ca16107bd3ac190ea9677de47a313d27986ad5f01dce8439db2d225ed7ebb9c48d95ccaa6ce79ebd9f996905dddfd87

Download Submit
C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe

Filesize
194.3MB

MD5
de3385420ee88678766cb39d98d557be

SHA1
61cbc8afe3f532db3f4feb406e999c007af12e00

SHA256
4f1f5e3ea0dc37a7fb876de242dac6aaacbbedc23f3f9bcfa09eed1a69295fd3

SHA512
f72b9245f8ec480aeea6bc7ddc9ebb7392b307aeb157e9d61eaff9a941a73ce4f0db658e2ff7a5aca932aa620384bc203399e584e486d25a44eff60a303de7b3

Download Submit
C:\ProgramData\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3\SoftwareDistributionWindowsHolographicDevices-type0.6.7.3.exe

Filesize
151.9MB

MD5
5436953dbb3a1fdc2c2d0371b4742391

SHA1
6399e3bb29962edca65be4b08402e83f865b7346

SHA256
e424b4a923ddcad0afcccef0144346095737bce8d036a7f0dafed29460ab3713

SHA512
5dbf229e538e9fdb1975f3bc5f57852f32e3a443ec589ffa803ffd9e93ab61cdb92af0660e60e524012c83c97c2aad54de5a6f0999cff7d58017c96ef17bbe91

Download Submit
memory/2940-121-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2940-128-0x0000000009B20000-0x000000000A01E000-memory.dmp

Filesize
5.0MB

Download
memory/2940-129-0x00000000096C0000-0x0000000009752000-memory.dmp

Filesize
584KB

Download
memory/2940-130-0x0000000007180000-0x000000000718A000-memory.dmp

Filesize
40KB

Download
memory/2940-131-0x0000000009950000-0x0000000009960000-memory.dmp

Filesize
64KB

Download
memory/2940-132-0x0000000009950000-0x0000000009960000-memory.dmp

Filesize
64KB

Download
memory/2940-133-0x0000000009950000-0x0000000009960000-memory.dmp

Filesize
64KB

Download
memory/3504-153-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/3504-154-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/3504-155-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/3504-156-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/3504-151-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/4740-158-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/4740-159-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/4740-160-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/4740-161-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/4740-162-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download
memory/4740-163-0x00007FF7DFC00000-0x00007FF7E011F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads