4e45051d214af572935596233db47eee57ceb6600841815dc51171dee15840f5

General

Target

Clip1.exe
Size

3.4MB
MD5

7c3ba41716690f6d5bca3520700e894c
SHA1

d8112039a130dd3d406c8b2386cce5ef8a745ce0
SHA256

4e45051d214af572935596233db47eee57ceb6600841815dc51171dee15840f5
SHA512

a3f6251d657d7abd982d68252c5085fe0393384c3edb37c19a750afbe95adeb926d5586f54be4f3ea1b314b533bd0676de35f7bd22460f1c0cefc464c8cbf23b
SSDEEP

49152:rr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVlo9:gKvfd94XayMT5sH9M0aS8o9uWyUhHyk

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Executes dropped EXE 2 IoCs

pid	Process
3744	WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe
1452	WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3752	icacls.exe
332	icacls.exe
4336	icacls.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023162-149.dat	upx
behavioral2/files/0x0009000000023162-151.dat	upx
behavioral2/files/0x0009000000023162-152.dat	upx
behavioral2/memory/3744-154-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp	upx
behavioral2/memory/3744-156-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp	upx
behavioral2/memory/3744-155-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp	upx
behavioral2/memory/3744-157-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp	upx
behavioral2/files/0x0009000000023162-158.dat	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 4580	1352	Clip1.exe	86

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3084	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4580	1352	Clip1.exe	86
PID 1352 wrote to memory of 4580	1352	Clip1.exe	86
PID 1352 wrote to memory of 4580	1352	Clip1.exe	86
PID 1352 wrote to memory of 4580	1352	Clip1.exe	86
PID 1352 wrote to memory of 4580	1352	Clip1.exe	86
PID 4580 wrote to memory of 3752	4580	AppLaunch.exe	87
PID 4580 wrote to memory of 3752	4580	AppLaunch.exe	87
PID 4580 wrote to memory of 3752	4580	AppLaunch.exe	87
PID 4580 wrote to memory of 332	4580	AppLaunch.exe	89
PID 4580 wrote to memory of 332	4580	AppLaunch.exe	89
PID 4580 wrote to memory of 332	4580	AppLaunch.exe	89
PID 4580 wrote to memory of 4336	4580	AppLaunch.exe	91
PID 4580 wrote to memory of 4336	4580	AppLaunch.exe	91
PID 4580 wrote to memory of 4336	4580	AppLaunch.exe	91
PID 4580 wrote to memory of 3084	4580	AppLaunch.exe	92
PID 4580 wrote to memory of 3084	4580	AppLaunch.exe	92
PID 4580 wrote to memory of 3084	4580	AppLaunch.exe	92
PID 4580 wrote to memory of 3744	4580	AppLaunch.exe	95
PID 4580 wrote to memory of 3744	4580	AppLaunch.exe	95

C:\Users\Admin\AppData\Local\Temp\Clip1.exe
"C:\Users\Admin\AppData\Local\Temp\Clip1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3752
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:332
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4336
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3" /TR "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:3084
- - C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe
    "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3744

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe
1⤵
- Executes dropped EXE
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Filesize
687.4MB

MD5
9b767a5c61afd7a1c74da2c3a5a20e11

SHA1
d86e21c69a1261c12adf96545a88bc74bdd3a550

SHA256
b9c1844af586dc349fe8301f19e60ca0565470f35485020157e40ad15e871f64

SHA512
d85538938c0ebc19bb12e8b5696d0a09331634dd642cca65d51372fb76e3b895d28eeee3f27221d378f321d9c5f800dcc39b3a272dca3d62a6db8733be98c887

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Filesize
687.3MB

MD5
b5f22e5210d173b060a70bb6bd349aca

SHA1
c7c217e1bb26c6ed707874fdb16f11b49a22b061

SHA256
001f6fb72797168d734787fc125b7e1a851129ecd1fa84762660ddbcf919ff69

SHA512
ccd42a1386375befa6f45a4944a21a545997c895eb234c95a6fb213008c3bbe9dd9c300cbfa870bce2e98628ec10b90c66f176c51ee7f401366e8ca14c351af9

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Filesize
657.1MB

MD5
8536b7c266bd17de939a88d994604648

SHA1
9a89133b80a1cc12ce2566ed2f3eabb65c0dba13

SHA256
1f03a813c5c8dd0739554295cbcc65105eb3e0e7625f86d618c9ad47d7b86843

SHA512
3345191d31686c89bd33891d7e99276a2489a1414d9e9b7c4b2a7f23f7728c8dcc602b825b02684593b0d6ec94610034252df81ddb8f5da3425b2b50add79bf3

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3\WindowsHolographicDevicesWindowsHolographicDevices-type7.3.1.3.exe

Filesize
7.2MB

MD5
c1309ee106bcfd04e35500f8e3072bef

SHA1
61f651eed9a05967d36abb98b34c458d31cbee37

SHA256
2752310d5066d97b5972f9503cf8ef540c65d7f65fd393c4ab4a63daa48a6b49

SHA512
2cce43b620943e4d0dcf5b9723d0514d5bb85f72eaf0b76f5e6837a3972d80b91603dc06531746f2647b0672617ccd6463c37c64fd1338ea43589013cf936163

Download Submit
memory/3744-156-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp

Filesize
5.1MB

Download
memory/3744-154-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp

Filesize
5.1MB

Download
memory/3744-155-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp

Filesize
5.1MB

Download
memory/3744-157-0x00007FF6C8BD0000-0x00007FF6C90EF000-memory.dmp

Filesize
5.1MB

Download
memory/4580-142-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4580-143-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4580-144-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4580-141-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/4580-140-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4580-139-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/4580-133-0x0000000000750000-0x0000000000AAC000-memory.dmp

Filesize
3.4MB

Download
memory/4580-138-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads