0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594

Analysis

max time kernel
160s
max time network
170s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe
Size

433KB
MD5

1ff517fb0f45cf09acdad03cd5a2fa63
SHA1

0588ee87b824e734cfdb2af29143aa19ce83869f
SHA256

0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594
SHA512

e4385402843cc6d0990b103692a351f4e8cb3c30a5dd228ba39be0388f065ce1e2e130fd6edb772a32a237e835f0458e645ce78c0645ce13e3d485c9a2f635fa

Score

8^/10

link pdf persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Hustler_May_15s.exeHustlerMay15s.exeusbpnp_driver.exe

pid process

1036 Hustler_May_15s.exe
1092 HustlerMay15s.exe
1060 usbpnp_driver.exe

pid	process
1036	Hustler_May_15s.exe
1092	HustlerMay15s.exe
1060	usbpnp_driver.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe	upx
\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe	upx

Loads dropped DLL 7 IoCs

Processes:

cmd.exeHustler_May_15s.exe

pid process

1912 cmd.exe
1912 cmd.exe
1036 Hustler_May_15s.exe
1912 cmd.exe
1912 cmd.exe
1912 cmd.exe
1912 cmd.exe

pid	process
1912	cmd.exe
1912	cmd.exe
1036	Hustler_May_15s.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

usbpnp_driver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\USB Plug n Play Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP07A.tmp\\usbpnp_driver.exe"	usbpnp_driver.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\27FA.tmp\Hustler May 2015.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

756 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1764 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1940 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 756 taskkill.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1940 AcroRd32.exe
1940 AcroRd32.exe
1940 AcroRd32.exe
1940 AcroRd32.exe

pid	process
756	taskkill.exe

pid	process
1764	PING.EXE

pid	process
1940	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	756	taskkill.exe

pid	process
1940	AcroRd32.exe
1940	AcroRd32.exe
1940	AcroRd32.exe
1940	AcroRd32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.execmd.exeHustlerMay15s.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 1912	1524	0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe	cmd.exe
PID 1524 wrote to memory of 1912	1524	0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe	cmd.exe
PID 1524 wrote to memory of 1912	1524	0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe	cmd.exe
PID 1524 wrote to memory of 1912	1524	0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe	cmd.exe
PID 1912 wrote to memory of 756	1912	cmd.exe	taskkill.exe
PID 1912 wrote to memory of 756	1912	cmd.exe	taskkill.exe
PID 1912 wrote to memory of 756	1912	cmd.exe	taskkill.exe
PID 1912 wrote to memory of 756	1912	cmd.exe	taskkill.exe
PID 1912 wrote to memory of 1764	1912	cmd.exe	PING.EXE
PID 1912 wrote to memory of 1764	1912	cmd.exe	PING.EXE
PID 1912 wrote to memory of 1764	1912	cmd.exe	PING.EXE
PID 1912 wrote to memory of 1764	1912	cmd.exe	PING.EXE
PID 1912 wrote to memory of 1036	1912	cmd.exe	Hustler_May_15s.exe
PID 1912 wrote to memory of 1036	1912	cmd.exe	Hustler_May_15s.exe
PID 1912 wrote to memory of 1036	1912	cmd.exe	Hustler_May_15s.exe
PID 1912 wrote to memory of 1036	1912	cmd.exe	Hustler_May_15s.exe
PID 1912 wrote to memory of 1036	1912	cmd.exe	Hustler_May_15s.exe
PID 1912 wrote to memory of 1036	1912	cmd.exe	Hustler_May_15s.exe
PID 1912 wrote to memory of 1036	1912	cmd.exe	Hustler_May_15s.exe
PID 1912 wrote to memory of 1092	1912	cmd.exe	HustlerMay15s.exe
PID 1912 wrote to memory of 1092	1912	cmd.exe	HustlerMay15s.exe
PID 1912 wrote to memory of 1092	1912	cmd.exe	HustlerMay15s.exe
PID 1912 wrote to memory of 1092	1912	cmd.exe	HustlerMay15s.exe
PID 1912 wrote to memory of 1060	1912	cmd.exe	usbpnp_driver.exe
PID 1912 wrote to memory of 1060	1912	cmd.exe	usbpnp_driver.exe
PID 1912 wrote to memory of 1060	1912	cmd.exe	usbpnp_driver.exe
PID 1912 wrote to memory of 1060	1912	cmd.exe	usbpnp_driver.exe
PID 1092 wrote to memory of 1904	1092	HustlerMay15s.exe	cmd.exe
PID 1092 wrote to memory of 1904	1092	HustlerMay15s.exe	cmd.exe
PID 1092 wrote to memory of 1904	1092	HustlerMay15s.exe	cmd.exe
PID 1092 wrote to memory of 1904	1092	HustlerMay15s.exe	cmd.exe
PID 1904 wrote to memory of 1940	1904	cmd.exe	AcroRd32.exe
PID 1904 wrote to memory of 1940	1904	cmd.exe	AcroRd32.exe
PID 1904 wrote to memory of 1940	1904	cmd.exe	AcroRd32.exe
PID 1904 wrote to memory of 1940	1904	cmd.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe
"C:\Users\Admin\AppData\Local\Temp\0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\57D.tmp\HustlerMay15.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im usbpnp_driver.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:1764

C:\Users\Admin\AppData\Local\Temp\57D.tmp\Hustler_May_15s.exe
"Hustler_May_15s.exe" /q /t:"C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036

C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe
"C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\27FA.tmp\2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\27FA.tmp\Hustler May 2015.pdf"
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe
"C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27FA.tmp\2.bat

MD5
38e860eadbfc9f71756eb4db856e54f0

SHA1
f5d4c997611f9cf6aad31c02d4493a2cd94154b0

SHA256
dbf469b0de1350bbff414e532e73aa758e1ac0ada60213f2a252355e146d2a36

SHA512
6dfe36c1c6747a6bb847b85a996e6e76c47d58e71ddefd6bff764d267968f8408b5ab9b8e70a7df3a8a0ef22baa18d8bebeec3f572fdd654a71b068184a98ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\27FA.tmp\Hustler May 2015.pdf

MD5
42255c3c57422976ade310a80d41e292

SHA1
f8ff165f02dbc0dce532c6d91acfd9678a79e828

SHA256
134827474c253355bf2a619c7a828bbc70bfb241c856ee7017fb0451e92a4e6b

SHA512
2e5baa61b10e978c518e0c9e9e10986bdce30cd9d41d79952cb90986458767158be74a6e1d3a8338d8a1dec09bb15282410e679767524747288520b011b63b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\57D.tmp\HustlerMay15.bat

MD5
184aed6cb4ff9f534e0c259289bea35b

SHA1
37428588e3fff24be7139ad0f5dd7d256906fa53

SHA256
7491f4ff33b62b1e08090e0bdc7ac02478425c94ded9da82bb694a22479c1e4c

SHA512
5358c857fdcae1d6fd28e4f2aa7169986c6d2d6f845a75bc1dc50e35f537d0fcc5ebdd16a8978b601a3a190e0feadc1466ecfa13ca1a37072423e63c7645ff5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\57D.tmp\Hustler_May_15s.exe

MD5
12e0e6c45ca1a1e597dda965f947cc28

SHA1
d3a380fc46f67a195e6d2845755d139c407261cf

SHA256
7ec6ea96681ff2313f199e2995505809b0ed845448f4fc07821844058d070137

SHA512
bbbb0b636eb18fb2d648b2bfcc2794b22204654afb7a35dd9b89c610fa4829ade3b6867bea502fd95ca6e29e39a494308ca6818dd793b7a9024f94aebb94f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\57D.tmp\Hustler_May_15s.exe

MD5
12e0e6c45ca1a1e597dda965f947cc28

SHA1
d3a380fc46f67a195e6d2845755d139c407261cf

SHA256
7ec6ea96681ff2313f199e2995505809b0ed845448f4fc07821844058d070137

SHA512
bbbb0b636eb18fb2d648b2bfcc2794b22204654afb7a35dd9b89c610fa4829ade3b6867bea502fd95ca6e29e39a494308ca6818dd793b7a9024f94aebb94f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe

MD5
d72ed1799b312d216165c485a6b650f4

SHA1
710fac822bd48fda3b99dd001dce1096b0b81bba

SHA256
2eb6e744b486f06ae1cb6b6b513f349a88975a12293af326311a0fcc0c05e2f8

SHA512
545afc658d8d0ecbdfbc53371de22287c1bc5cc49eced710ff1c71c8c14c65091cf38ccd9ad825ed6b611183b0ffedbba54ff61cc448071997805ced50f22ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe

MD5
d72ed1799b312d216165c485a6b650f4

SHA1
710fac822bd48fda3b99dd001dce1096b0b81bba

SHA256
2eb6e744b486f06ae1cb6b6b513f349a88975a12293af326311a0fcc0c05e2f8

SHA512
545afc658d8d0ecbdfbc53371de22287c1bc5cc49eced710ff1c71c8c14c65091cf38ccd9ad825ed6b611183b0ffedbba54ff61cc448071997805ced50f22ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe

MD5
40b5bf85b49d82b751a62fa72b16ea66

SHA1
d2f3ffe203c8c22afb055473f21bc11530a311f3

SHA256
ac0aa9171dca9f71540f8888b9896b81a4f757a1a17e0336a34f86c99683a90f

SHA512
0abb1ba0f049b8c6e1f21c06370907dac8662e9652b864f6334381332cd2444e63794cf113dede410563102222e0c855fdc6434728b98b1be6460a9e756478c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe

MD5
40b5bf85b49d82b751a62fa72b16ea66

SHA1
d2f3ffe203c8c22afb055473f21bc11530a311f3

SHA256
ac0aa9171dca9f71540f8888b9896b81a4f757a1a17e0336a34f86c99683a90f

SHA512
0abb1ba0f049b8c6e1f21c06370907dac8662e9652b864f6334381332cd2444e63794cf113dede410563102222e0c855fdc6434728b98b1be6460a9e756478c3

Download Submit
\Users\Admin\AppData\Local\Temp\57D.tmp\Hustler_May_15s.exe

MD5
12e0e6c45ca1a1e597dda965f947cc28

SHA1
d3a380fc46f67a195e6d2845755d139c407261cf

SHA256
7ec6ea96681ff2313f199e2995505809b0ed845448f4fc07821844058d070137

SHA512
bbbb0b636eb18fb2d648b2bfcc2794b22204654afb7a35dd9b89c610fa4829ade3b6867bea502fd95ca6e29e39a494308ca6818dd793b7a9024f94aebb94f554

Download Submit
\Users\Admin\AppData\Local\Temp\57D.tmp\Hustler_May_15s.exe

MD5
12e0e6c45ca1a1e597dda965f947cc28

SHA1
d3a380fc46f67a195e6d2845755d139c407261cf

SHA256
7ec6ea96681ff2313f199e2995505809b0ed845448f4fc07821844058d070137

SHA512
bbbb0b636eb18fb2d648b2bfcc2794b22204654afb7a35dd9b89c610fa4829ade3b6867bea502fd95ca6e29e39a494308ca6818dd793b7a9024f94aebb94f554

Download Submit
\Users\Admin\AppData\Local\Temp\57D.tmp\Hustler_May_15s.exe

MD5
12e0e6c45ca1a1e597dda965f947cc28

SHA1
d3a380fc46f67a195e6d2845755d139c407261cf

SHA256
7ec6ea96681ff2313f199e2995505809b0ed845448f4fc07821844058d070137

SHA512
bbbb0b636eb18fb2d648b2bfcc2794b22204654afb7a35dd9b89c610fa4829ade3b6867bea502fd95ca6e29e39a494308ca6818dd793b7a9024f94aebb94f554

Download Submit
\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe

MD5
d72ed1799b312d216165c485a6b650f4

SHA1
710fac822bd48fda3b99dd001dce1096b0b81bba

SHA256
2eb6e744b486f06ae1cb6b6b513f349a88975a12293af326311a0fcc0c05e2f8

SHA512
545afc658d8d0ecbdfbc53371de22287c1bc5cc49eced710ff1c71c8c14c65091cf38ccd9ad825ed6b611183b0ffedbba54ff61cc448071997805ced50f22ad8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe

MD5
d72ed1799b312d216165c485a6b650f4

SHA1
710fac822bd48fda3b99dd001dce1096b0b81bba

SHA256
2eb6e744b486f06ae1cb6b6b513f349a88975a12293af326311a0fcc0c05e2f8

SHA512
545afc658d8d0ecbdfbc53371de22287c1bc5cc49eced710ff1c71c8c14c65091cf38ccd9ad825ed6b611183b0ffedbba54ff61cc448071997805ced50f22ad8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe

MD5
40b5bf85b49d82b751a62fa72b16ea66

SHA1
d2f3ffe203c8c22afb055473f21bc11530a311f3

SHA256
ac0aa9171dca9f71540f8888b9896b81a4f757a1a17e0336a34f86c99683a90f

SHA512
0abb1ba0f049b8c6e1f21c06370907dac8662e9652b864f6334381332cd2444e63794cf113dede410563102222e0c855fdc6434728b98b1be6460a9e756478c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe

MD5
40b5bf85b49d82b751a62fa72b16ea66

SHA1
d2f3ffe203c8c22afb055473f21bc11530a311f3

SHA256
ac0aa9171dca9f71540f8888b9896b81a4f757a1a17e0336a34f86c99683a90f

SHA512
0abb1ba0f049b8c6e1f21c06370907dac8662e9652b864f6334381332cd2444e63794cf113dede410563102222e0c855fdc6434728b98b1be6460a9e756478c3

Download Submit
memory/1524-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download