a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230

General

Target

a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe
Size

3.4MB
MD5

b5c5f6531aaa91b3ecfd8202ba41f38b
SHA1

d102174f6ebeb420a5171912649b50516728f17d
SHA256

a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230
SHA512

ab67e0dc3ae6b3d60c314bbf479d50fec6360d3d0c3d645789d3f3b641f3b55d6f65b21c9f57b735caa7bca35ffc6c999f6b9ad2afb6715db57603cbfd42d028
SSDEEP

98304:ZJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRVq:Z8D/yIqlhlW4i/QsnwZzjMSeVq

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exeWindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exeWindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

Executes dropped EXE 2 IoCs

Processes:

WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exeWindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

pid	process
2396	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
4024	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

704 icacls.exe
788 icacls.exe
1716 icacls.exe

pid	process
704	icacls.exe
788	icacls.exe
1716	icacls.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe	upx
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe	upx
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe	upx
behavioral1/memory/2396-154-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx
behavioral1/memory/2396-155-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx
behavioral1/memory/2396-156-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx
behavioral1/memory/2396-157-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe	upx
behavioral1/memory/4024-159-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx
behavioral1/memory/4024-160-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx
behavioral1/memory/4024-161-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx
behavioral1/memory/4024-162-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exeWindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe

description	pid	process	target process
PID 4700 set thread context of 4512	4700	a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3648 4700 WerFault.exe a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4724 schtasks.exe

pid	pid_target	process	target process
3648	4700	WerFault.exe	a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe

pid	process
4724	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exeAppLaunch.exe

description	pid	process	target process
PID 4700 wrote to memory of 4512	4700	a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe	AppLaunch.exe
PID 4700 wrote to memory of 4512	4700	a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe	AppLaunch.exe
PID 4700 wrote to memory of 4512	4700	a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe	AppLaunch.exe
PID 4700 wrote to memory of 4512	4700	a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe	AppLaunch.exe
PID 4700 wrote to memory of 4512	4700	a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe	AppLaunch.exe
PID 4512 wrote to memory of 704	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 704	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 704	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 788	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 788	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 788	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 1716	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 1716	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 1716	4512	AppLaunch.exe	icacls.exe
PID 4512 wrote to memory of 4724	4512	AppLaunch.exe	schtasks.exe
PID 4512 wrote to memory of 4724	4512	AppLaunch.exe	schtasks.exe
PID 4512 wrote to memory of 4724	4512	AppLaunch.exe	schtasks.exe
PID 4512 wrote to memory of 2396	4512	AppLaunch.exe	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
PID 4512 wrote to memory of 2396	4512	AppLaunch.exe	WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe

C:\Users\Admin\AppData\Local\Temp\a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe
"C:\Users\Admin\AppData\Local\Temp\a0ae17fec9cc2599805480adfca3ab1f9db4c100c25d5939f5585ce76cc2b230.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:704

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:788

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:1716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9" /TR "C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:4724

C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
"C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 308
2⤵
- Program crash
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4700 -ip 4700
1⤵
PID:1268

C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Filesize
452.8MB

MD5
997c8d643d6301b4c172f1112f6eafab

SHA1
5ca585233510eb332cb37bc243d4d1c5d2105ef2

SHA256
062f474f2fbf253fa298fd4d6b22b6a2a53a2cfcf3fc35e50c6506689ba48853

SHA512
c1f487fac899413b88c8c64eca12387b87b269d479c0c46b291a6d3469dbcebaca0e9492d47c141b8cd7d40fa4442aa37b8574dcd3b432ebf5b63dd433fe873c

Download Submit
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Filesize
566.4MB

MD5
cc4bc4e88fdd7c7540b6daa5ee11432c

SHA1
1befa472bf98399ac8309e15e0169c89fca4d42a

SHA256
810f694c109d46b02d79f0d1cca8a0f3dd183fd2034374ef41ebe5cb3d3ecd9d

SHA512
5b604cb6eb4e03830ea86b26ce9536c6d2f3fd6ca5f4db3dbd6169fb7fb6ed7989d96b6085c5df6c1217c3a0a8804c6e36719c5912d3e85c93ee1ba77aa44236

Download Submit
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Filesize
599.5MB

MD5
b3665b54b6b3b809b0eb2339805deb83

SHA1
678b4d240a8ad59266c112f74fef188b796a1092

SHA256
8b6e73a3633bdc83c4f274f0806f50bd81a9abfc668a7fa7f7782aa9c6f10eb7

SHA512
2b32df26fa221c3aa1ddf17c042d697ae930dc2bd911e6f7b6ad88f70d89b778a91b92ad2351ea0a961890695e3f802200280fc2ccd09a3de9e92b89189b399d

Download Submit
C:\ProgramData\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9\WindowsHolographicDevicesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type9.3.8.9.exe
Filesize
518.1MB

MD5
210f4202756cdd386058cf83edb7b1ae

SHA1
367b61b6f47ac260758d10d48fd3b4a68f452457

SHA256
f0bb2a2f3f642b1d224843f466a5e1c77f9961466cf01d436ce99cf998f1956d

SHA512
a8b6acec1bd38c5582013cf14e6a0ac41f168a3e1b8aadecccd5ad3663e3552fc589fddca88eb06f80c486b51c606fe3400863d3adbb7d13f7f3aa6da7b13c26

Download Submit
memory/2396-154-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/2396-157-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/2396-156-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/2396-155-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/4024-159-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/4024-160-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/4024-161-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/4024-162-0x00007FF6C49D0000-0x00007FF6C4EEF000-memory.dmp

Filesize
5.1MB

Download
memory/4512-139-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/4512-138-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/4512-140-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/4512-144-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4512-143-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4512-142-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4512-133-0x0000000000500000-0x000000000085C000-memory.dmp

Filesize
3.4MB

Download
memory/4512-141-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads