0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594

Analysis

max time kernel
165s
max time network
164s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe
Size

433KB
MD5

1ff517fb0f45cf09acdad03cd5a2fa63
SHA1

0588ee87b824e734cfdb2af29143aa19ce83869f
SHA256

0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594
SHA512

e4385402843cc6d0990b103692a351f4e8cb3c30a5dd228ba39be0388f065ce1e2e130fd6edb772a32a237e835f0458e645ce78c0645ce13e3d485c9a2f635fa

Score

8^/10

link pdf persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Hustler_May_15s.exeHustlerMay15s.exeusbpnp_driver.exe

pid process

1480 Hustler_May_15s.exe
1588 HustlerMay15s.exe
1472 usbpnp_driver.exe

pid	process
1480	Hustler_May_15s.exe
1588	HustlerMay15s.exe
1472	usbpnp_driver.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

usbpnp_driver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\USB Plug n Play Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP07A.tmp\\usbpnp_driver.exe"	usbpnp_driver.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\28C.tmp\Hustler May 2015.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1512 taskkill.exe

pid	process
1512	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

usbpnp_driver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	usbpnp_driver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	usbpnp_driver.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3608 PING.EXE

pid	process
3608	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe
748	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1512 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

748 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

748 AcroRd32.exe
748 AcroRd32.exe
748 AcroRd32.exe
748 AcroRd32.exe
748 AcroRd32.exe
748 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1512	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.execmd.exeHustlerMay15s.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2700 wrote to memory of 4040	2700	0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe	cmd.exe
PID 2700 wrote to memory of 4040	2700	0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe	cmd.exe
PID 2700 wrote to memory of 4040	2700	0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe	cmd.exe
PID 4040 wrote to memory of 1512	4040	cmd.exe	taskkill.exe
PID 4040 wrote to memory of 1512	4040	cmd.exe	taskkill.exe
PID 4040 wrote to memory of 1512	4040	cmd.exe	taskkill.exe
PID 4040 wrote to memory of 3608	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 3608	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 3608	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 1480	4040	cmd.exe	Hustler_May_15s.exe
PID 4040 wrote to memory of 1480	4040	cmd.exe	Hustler_May_15s.exe
PID 4040 wrote to memory of 1480	4040	cmd.exe	Hustler_May_15s.exe
PID 4040 wrote to memory of 1588	4040	cmd.exe	HustlerMay15s.exe
PID 4040 wrote to memory of 1588	4040	cmd.exe	HustlerMay15s.exe
PID 4040 wrote to memory of 1588	4040	cmd.exe	HustlerMay15s.exe
PID 4040 wrote to memory of 1472	4040	cmd.exe	usbpnp_driver.exe
PID 4040 wrote to memory of 1472	4040	cmd.exe	usbpnp_driver.exe
PID 4040 wrote to memory of 1472	4040	cmd.exe	usbpnp_driver.exe
PID 1588 wrote to memory of 2644	1588	HustlerMay15s.exe	cmd.exe
PID 1588 wrote to memory of 2644	1588	HustlerMay15s.exe	cmd.exe
PID 1588 wrote to memory of 2644	1588	HustlerMay15s.exe	cmd.exe
PID 2644 wrote to memory of 748	2644	cmd.exe	AcroRd32.exe
PID 2644 wrote to memory of 748	2644	cmd.exe	AcroRd32.exe
PID 2644 wrote to memory of 748	2644	cmd.exe	AcroRd32.exe
PID 748 wrote to memory of 2056	748	AcroRd32.exe	RdrCEF.exe
PID 748 wrote to memory of 2056	748	AcroRd32.exe	RdrCEF.exe
PID 748 wrote to memory of 2056	748	AcroRd32.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe
PID 2056 wrote to memory of 3704	2056	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe
"C:\Users\Admin\AppData\Local\Temp\0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F185.tmp\HustlerMay15.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im usbpnp_driver.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:3608

C:\Users\Admin\AppData\Local\Temp\F185.tmp\Hustler_May_15s.exe
"Hustler_May_15s.exe" /q /t:"C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp"
3⤵
- Executes dropped EXE
PID:1480

C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe
"C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28C.tmp\2.bat" "
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\28C.tmp\Hustler May 2015.pdf"
5⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
6⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9582A752414CC2D67D2F1A2FCB035510 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:3704

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BBE0060C6A0F88112A2459892581EB63 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BBE0060C6A0F88112A2459892581EB63 --renderer-client-id=2 --mojo-platform-channel-handle=1660 --allow-no-sandbox-job /prefetch:1
7⤵
PID:2260

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2EA765959C3971D9A6FFDD4A87A66A4E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2EA765959C3971D9A6FFDD4A87A66A4E --renderer-client-id=4 --mojo-platform-channel-handle=2216 --allow-no-sandbox-job /prefetch:1
7⤵
PID:3176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F4A079688B93CBE438A9EB7A23D11967 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:3196

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A3CD98DE8FD3D9B88BC2D7B9F6A5498 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:2708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DBBD15E6250FCFEA4CC4A8F0B0C7952F --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe
"C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28C.tmp\2.bat
MD5
38e860eadbfc9f71756eb4db856e54f0

SHA1
f5d4c997611f9cf6aad31c02d4493a2cd94154b0

SHA256
dbf469b0de1350bbff414e532e73aa758e1ac0ada60213f2a252355e146d2a36

SHA512
6dfe36c1c6747a6bb847b85a996e6e76c47d58e71ddefd6bff764d267968f8408b5ab9b8e70a7df3a8a0ef22baa18d8bebeec3f572fdd654a71b068184a98ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\28C.tmp\Hustler May 2015.pdf
MD5
42255c3c57422976ade310a80d41e292

SHA1
f8ff165f02dbc0dce532c6d91acfd9678a79e828

SHA256
134827474c253355bf2a619c7a828bbc70bfb241c856ee7017fb0451e92a4e6b

SHA512
2e5baa61b10e978c518e0c9e9e10986bdce30cd9d41d79952cb90986458767158be74a6e1d3a8338d8a1dec09bb15282410e679767524747288520b011b63b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\F185.tmp\HustlerMay15.bat
MD5
184aed6cb4ff9f534e0c259289bea35b

SHA1
37428588e3fff24be7139ad0f5dd7d256906fa53

SHA256
7491f4ff33b62b1e08090e0bdc7ac02478425c94ded9da82bb694a22479c1e4c

SHA512
5358c857fdcae1d6fd28e4f2aa7169986c6d2d6f845a75bc1dc50e35f537d0fcc5ebdd16a8978b601a3a190e0feadc1466ecfa13ca1a37072423e63c7645ff5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F185.tmp\Hustler_May_15s.exe
MD5
12e0e6c45ca1a1e597dda965f947cc28

SHA1
d3a380fc46f67a195e6d2845755d139c407261cf

SHA256
7ec6ea96681ff2313f199e2995505809b0ed845448f4fc07821844058d070137

SHA512
bbbb0b636eb18fb2d648b2bfcc2794b22204654afb7a35dd9b89c610fa4829ade3b6867bea502fd95ca6e29e39a494308ca6818dd793b7a9024f94aebb94f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\F185.tmp\Hustler_May_15s.exe
MD5
12e0e6c45ca1a1e597dda965f947cc28

SHA1
d3a380fc46f67a195e6d2845755d139c407261cf

SHA256
7ec6ea96681ff2313f199e2995505809b0ed845448f4fc07821844058d070137

SHA512
bbbb0b636eb18fb2d648b2bfcc2794b22204654afb7a35dd9b89c610fa4829ade3b6867bea502fd95ca6e29e39a494308ca6818dd793b7a9024f94aebb94f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe
MD5
d72ed1799b312d216165c485a6b650f4

SHA1
710fac822bd48fda3b99dd001dce1096b0b81bba

SHA256
2eb6e744b486f06ae1cb6b6b513f349a88975a12293af326311a0fcc0c05e2f8

SHA512
545afc658d8d0ecbdfbc53371de22287c1bc5cc49eced710ff1c71c8c14c65091cf38ccd9ad825ed6b611183b0ffedbba54ff61cc448071997805ced50f22ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\HustlerMay15s.exe
MD5
d72ed1799b312d216165c485a6b650f4

SHA1
710fac822bd48fda3b99dd001dce1096b0b81bba

SHA256
2eb6e744b486f06ae1cb6b6b513f349a88975a12293af326311a0fcc0c05e2f8

SHA512
545afc658d8d0ecbdfbc53371de22287c1bc5cc49eced710ff1c71c8c14c65091cf38ccd9ad825ed6b611183b0ffedbba54ff61cc448071997805ced50f22ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe
MD5
40b5bf85b49d82b751a62fa72b16ea66

SHA1
d2f3ffe203c8c22afb055473f21bc11530a311f3

SHA256
ac0aa9171dca9f71540f8888b9896b81a4f757a1a17e0336a34f86c99683a90f

SHA512
0abb1ba0f049b8c6e1f21c06370907dac8662e9652b864f6334381332cd2444e63794cf113dede410563102222e0c855fdc6434728b98b1be6460a9e756478c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP07A.tmp\usbpnp_driver.exe
MD5
40b5bf85b49d82b751a62fa72b16ea66

SHA1
d2f3ffe203c8c22afb055473f21bc11530a311f3

SHA256
ac0aa9171dca9f71540f8888b9896b81a4f757a1a17e0336a34f86c99683a90f

SHA512
0abb1ba0f049b8c6e1f21c06370907dac8662e9652b864f6334381332cd2444e63794cf113dede410563102222e0c855fdc6434728b98b1be6460a9e756478c3

Download Submit
memory/2260-130-0x0000000077B42000-0x0000000077B43000-memory.dmp

Filesize
4KB

Download
memory/2708-143-0x0000000077B42000-0x0000000077B43000-memory.dmp

Filesize
4KB

Download
memory/2840-146-0x0000000077B42000-0x0000000077B43000-memory.dmp

Filesize
4KB

Download
memory/3176-135-0x0000000077B42000-0x0000000077B43000-memory.dmp

Filesize
4KB

Download
memory/3196-140-0x0000000077B42000-0x0000000077B43000-memory.dmp

Filesize
4KB

Download
memory/3704-127-0x0000000077B42000-0x0000000077B43000-memory.dmp

Filesize
4KB

Download