305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6.exe
Size

4.7MB
MD5

029d39fd45feed615643e942de2b3ec3
SHA1

c379a55cdc799a436b36d461d9f7c5c28c529a7c
SHA256

305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6
SHA512

b7c1af4e8a6ecb9653371a949c5bc2411cd62c6736beb659bf99c709978077e4b91d04c219fad70a0e9a1f7695fd196af1e090b1790d55da7b0496b0536cd930
SSDEEP

49152:CbWLWTdLMyAryTKsezhpRFgCA/jiIbpIIvUJGN+g8fTDPes3GTmg4U+lB7VkvqI8:HFik/6K3PXyO/kvA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4624	WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8 = "C:\\ProgramData\\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8\\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8.exe"	305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4624	4344	305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6.exe	83
PID 4344 wrote to memory of 4624	4344	305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6.exe	83

C:\Users\Admin\AppData\Local\Temp\305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6.exe
"C:\Users\Admin\AppData\Local\Temp\305c2d0fb66f323e8284df0b00bcfd205d3ffa782ed9cc8e23bceca29b5310c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4344
- C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8.exe
  C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8.exe
  2⤵
  - Executes dropped EXE
  PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8.exe

Filesize
754.7MB

MD5
02d8d7ca108c039172f60dccf400715d

SHA1
c3d58e69fa68c1651dbe93d64b399adba9d59149

SHA256
fa6102f92392d13ef94504eb8f2b01ed1baed2427a3596bb6d68aa9ac22e152c

SHA512
f80eadb3a469e7aa0850055b8d17b5c21c8473f89114ae696634aa2a699c945e56b0d09c60783223ff7ec8a7d380a72c924e8cf98d3ffc2b4abdf1d6795355be

Download Submit
C:\ProgramData\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8\WindowsHolographicDevicesWindowsHolographicDevices-ver2.7.9.8.exe

Filesize
754.7MB

MD5
02d8d7ca108c039172f60dccf400715d

SHA1
c3d58e69fa68c1651dbe93d64b399adba9d59149

SHA256
fa6102f92392d13ef94504eb8f2b01ed1baed2427a3596bb6d68aa9ac22e152c

SHA512
f80eadb3a469e7aa0850055b8d17b5c21c8473f89114ae696634aa2a699c945e56b0d09c60783223ff7ec8a7d380a72c924e8cf98d3ffc2b4abdf1d6795355be

Download Submit