e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e

General

Target

e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe
Size

3.4MB
MD5

80d5f5becc3cfc8713706e45c93e65b3
SHA1

ea44d7ae5451420937975c0a62234f082b3e1a23
SHA256

e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e
SHA512

5b653656a9b9c78a9f0565e95c128888c66b91284a5a7c9e9d87e7cf8837cfc44801a3eb57777b3d8a58f691d4715faf6f399350aba378e020e625f096b0318a
SSDEEP

49152:k9x5EciXT1SMTEGUlayCd1XlOrUcwFY92eg6zBCYUFQumEeBAoCuYXMYo3js:RcmEZlaPfUwbYIelzBLU3vqCRs

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe

Executes dropped EXE 2 IoCs

pid	Process
3788	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
2492	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3604	icacls.exe
3728	icacls.exe
2920	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001aed7-148.dat	upx
behavioral1/files/0x000600000001aed7-149.dat	upx
behavioral1/memory/3788-150-0x00007FF612730000-0x00007FF612C4F000-memory.dmp	upx
behavioral1/memory/3788-152-0x00007FF612730000-0x00007FF612C4F000-memory.dmp	upx
behavioral1/memory/3788-151-0x00007FF612730000-0x00007FF612C4F000-memory.dmp	upx
behavioral1/memory/3788-155-0x00007FF612730000-0x00007FF612C4F000-memory.dmp	upx
behavioral1/files/0x000600000001aed7-157.dat	upx
behavioral1/memory/2492-158-0x00007FF612730000-0x00007FF612C4F000-memory.dmp	upx
behavioral1/memory/2492-159-0x00007FF612730000-0x00007FF612C4F000-memory.dmp	upx
behavioral1/memory/2492-160-0x00007FF612730000-0x00007FF612C4F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3944 set thread context of 4436	3944	e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4728	3944	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3976	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4436	3944	e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe	67
PID 3944 wrote to memory of 4436	3944	e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe	67
PID 3944 wrote to memory of 4436	3944	e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe	67
PID 3944 wrote to memory of 4436	3944	e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe	67
PID 3944 wrote to memory of 4436	3944	e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe	67
PID 4436 wrote to memory of 3604	4436	AppLaunch.exe	70
PID 4436 wrote to memory of 3604	4436	AppLaunch.exe	70
PID 4436 wrote to memory of 3604	4436	AppLaunch.exe	70
PID 4436 wrote to memory of 3728	4436	AppLaunch.exe	71
PID 4436 wrote to memory of 3728	4436	AppLaunch.exe	71
PID 4436 wrote to memory of 3728	4436	AppLaunch.exe	71
PID 4436 wrote to memory of 2920	4436	AppLaunch.exe	72
PID 4436 wrote to memory of 2920	4436	AppLaunch.exe	72
PID 4436 wrote to memory of 2920	4436	AppLaunch.exe	72
PID 4436 wrote to memory of 3976	4436	AppLaunch.exe	76
PID 4436 wrote to memory of 3976	4436	AppLaunch.exe	76
PID 4436 wrote to memory of 3976	4436	AppLaunch.exe	76
PID 4436 wrote to memory of 3788	4436	AppLaunch.exe	78
PID 4436 wrote to memory of 3788	4436	AppLaunch.exe	78

C:\Users\Admin\AppData\Local\Temp\e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe
"C:\Users\Admin\AppData\Local\Temp\e52f2dbc0ee8bc0fc1b6393463285a7425d8c5de6dcd04dd0456f7c51ad0cd8e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3604
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3728
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4" /TR "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:3976
- - C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
    "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 508
  2⤵
  - Program crash
  PID:4728

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe

Filesize
841.5MB

MD5
dc49cd9af558a4da18fca3b70ce32ca2

SHA1
d2df7b14eef0175bbbdda4210db331fc9830d995

SHA256
97bf2b7de1b1d087e1462211cc8997d9561efd6e267d03842e96047816fea7fe

SHA512
bee1ac6cda94eda1669c262e5c88fdc611b734ace3938058f8e25fc6376fd8070133b0a2bc26da93eb7e0f1f7c89884c9f501f958a66a0c6b919a8d2458538bd

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe

Filesize
841.5MB

MD5
dc49cd9af558a4da18fca3b70ce32ca2

SHA1
d2df7b14eef0175bbbdda4210db331fc9830d995

SHA256
97bf2b7de1b1d087e1462211cc8997d9561efd6e267d03842e96047816fea7fe

SHA512
bee1ac6cda94eda1669c262e5c88fdc611b734ace3938058f8e25fc6376fd8070133b0a2bc26da93eb7e0f1f7c89884c9f501f958a66a0c6b919a8d2458538bd

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4\WindowsHolographicDevicesWindowsHolographicDevices-type3.6.3.4.exe

Filesize
186.1MB

MD5
21638192a3630690f3a9fbe8839b179c

SHA1
523f74189abce9fef2d1f933bd4fc2eff800cf1e

SHA256
56a16718a0e2dab36a7e45f3114478fb7800397a5850f9944c93e2ffb083401f

SHA512
632c7a3d4b6359f73323e07d219c5393b89a8fc45d4dd2c67cc5a5eaef545c87726f366668f9fe62efd4ade32f863f868530b441cf6dd1d3cc36116e39f06376

Download Submit
memory/2492-160-0x00007FF612730000-0x00007FF612C4F000-memory.dmp

Filesize
5.1MB

Download
memory/2492-159-0x00007FF612730000-0x00007FF612C4F000-memory.dmp

Filesize
5.1MB

Download
memory/2492-158-0x00007FF612730000-0x00007FF612C4F000-memory.dmp

Filesize
5.1MB

Download
memory/3788-151-0x00007FF612730000-0x00007FF612C4F000-memory.dmp

Filesize
5.1MB

Download
memory/3788-150-0x00007FF612730000-0x00007FF612C4F000-memory.dmp

Filesize
5.1MB

Download
memory/3788-152-0x00007FF612730000-0x00007FF612C4F000-memory.dmp

Filesize
5.1MB

Download
memory/3788-155-0x00007FF612730000-0x00007FF612C4F000-memory.dmp

Filesize
5.1MB

Download
memory/4436-133-0x0000000009790000-0x00000000097A0000-memory.dmp

Filesize
64KB

Download
memory/4436-132-0x0000000009790000-0x00000000097A0000-memory.dmp

Filesize
64KB

Download
memory/4436-131-0x0000000009790000-0x00000000097A0000-memory.dmp

Filesize
64KB

Download
memory/4436-120-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/4436-130-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/4436-129-0x0000000009790000-0x00000000097A0000-memory.dmp

Filesize
64KB

Download
memory/4436-128-0x0000000009490000-0x0000000009522000-memory.dmp

Filesize
584KB

Download
memory/4436-127-0x0000000009B30000-0x000000000A02E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads