a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291

General

Target

a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe
Size

3.4MB
MD5

0e0cd6efee7433ae2e785e8e224936d0
SHA1

5a067f75caa7d181a948f88dca23c07bac2f7e3d
SHA256

a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291
SHA512

4dc3bcc0357cba8cd54b79be11b7df3391915bc9a57936f092b6d1476b080a1c8b178ec8acb959e0cbdfc38b62f9550d96a9f9c8476439eb1681b23b94675632
SSDEEP

98304:uJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRV6:u8D/yIqlhlW4i/QsnwZzjMSeV6

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exeWindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exeWindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

Executes dropped EXE 2 IoCs

Processes:

WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exeWindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

pid	process
4764	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
4988	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

4560 icacls.exe
2284 icacls.exe
4852 icacls.exe

pid	process
4560	icacls.exe
2284	icacls.exe
4852	icacls.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe	upx
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe	upx
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe	upx
behavioral1/memory/4764-154-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx
behavioral1/memory/4764-155-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx
behavioral1/memory/4764-156-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx
behavioral1/memory/4764-157-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe	upx
behavioral1/memory/4988-159-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx
behavioral1/memory/4988-160-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx
behavioral1/memory/4988-161-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx
behavioral1/memory/4988-162-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exeWindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe

description	pid	process	target process
PID 4604 set thread context of 4664	4604	a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1328 4604 WerFault.exe a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2792 schtasks.exe

pid	pid_target	process	target process
1328	4604	WerFault.exe	a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe

pid	process
2792	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exeAppLaunch.exe

description	pid	process	target process
PID 4604 wrote to memory of 4664	4604	a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe	AppLaunch.exe
PID 4604 wrote to memory of 4664	4604	a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe	AppLaunch.exe
PID 4604 wrote to memory of 4664	4604	a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe	AppLaunch.exe
PID 4604 wrote to memory of 4664	4604	a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe	AppLaunch.exe
PID 4604 wrote to memory of 4664	4604	a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe	AppLaunch.exe
PID 4664 wrote to memory of 4560	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 4560	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 4560	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 2284	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 2284	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 2284	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 4852	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 4852	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 4852	4664	AppLaunch.exe	icacls.exe
PID 4664 wrote to memory of 2792	4664	AppLaunch.exe	schtasks.exe
PID 4664 wrote to memory of 2792	4664	AppLaunch.exe	schtasks.exe
PID 4664 wrote to memory of 2792	4664	AppLaunch.exe	schtasks.exe
PID 4664 wrote to memory of 4764	4664	AppLaunch.exe	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
PID 4664 wrote to memory of 4764	4664	AppLaunch.exe	WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe

C:\Users\Admin\AppData\Local\Temp\a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe
"C:\Users\Admin\AppData\Local\Temp\a35d8eaf733df01475638f35fec9f9a8543730c7796794bda81402c3eecbc291.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:4560

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2284

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:4852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0" /TR "C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:2792

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
"C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 308
2⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4604 -ip 4604
1⤵
PID:800

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Filesize
642.1MB

MD5
b8da66e1dacd16f0c7fa36685eceb4ec

SHA1
51f28a1470531d60a06c8985bd5b0a73eacaa6e0

SHA256
84fae884a95820715d8e953bbb293d5d0e5e4e9f15d20cab6a09910bb3eeb29e

SHA512
d5c33f441fd4d95d89861967bc219eabd8c45deea9389efec86446a0959e52a7aa4d3b37d2ce185c05b91f4d1c6ea4c058c50642017fb0d05a91451aca88bfdd

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Filesize
701.9MB

MD5
bc952117b8644c053245d96fa26d517d

SHA1
91e2bf980c4447e70ed9e09d224f4a57fee04e21

SHA256
558b54ea3aecb7baee471b497b5d7a5e18bdc76cfc38796e5282f36282c72601

SHA512
28a507bf46127a3c310ac0fcb5da7ba7749894e066472d71ad96db49bd33132b83067f4e05308e983ad4322133cc455ae469714434cd570ead0cd054d5af0ff9

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Filesize
659.8MB

MD5
77e9c970b54526838512e5b566f28eb9

SHA1
8caa714073b32e9561653d8abb778b2a7d4bca7b

SHA256
635d0da68116bdf0f898df41a2c7e50abd686ed725edfb3022c4a241cc968d23

SHA512
3c48042622d7387517e80bc878d949f4cf1bac8e4e270afc9effb7091f71fa7303125de748afb7d08fc53725f68d3030a3bbc592f58406508e9de65353ce4cd5

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0\WindowsHolographicDevicesWindowsHolographicDevices-type9.9.6.0.exe
Filesize
115.4MB

MD5
65b8668cc4fed820bade87881c12ae9f

SHA1
6f1ae99e225d51d04db40a34c398d49731c330f5

SHA256
ed627153e78c233ea1501e65f99aa4f9c49ba6b370f917954be7eb4e91d4ca0b

SHA512
d25ad18abca5a8a69711ccb5f6a2a622a761c0e2f8ed98500361bc477ed9bce596b9bb6483879d1ae8858af79c90ebbd47263921758c98ba2e1baf363e5dcf94

Download Submit
memory/4664-141-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4664-142-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4664-143-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4664-144-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4664-140-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4664-139-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/4664-138-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/4664-133-0x0000000000580000-0x00000000008DC000-memory.dmp

Filesize
3.4MB

Download
memory/4764-155-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download
memory/4764-156-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download
memory/4764-157-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download
memory/4764-154-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download
memory/4988-159-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download
memory/4988-160-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download
memory/4988-161-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download
memory/4988-162-0x00007FF7608A0000-0x00007FF760DBF000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads