43d9426874eea0bb56c3feac25d20bc35fb3ddaa9447e1ca5f0ba3de1d194382

Analysis

max time kernel
105s
max time network
114s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-04-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USBHelperInstaller.exe
Size

282KB
MD5

d387c6c808a9ab80f0d8e843500f903d
SHA1

b14fc2a27c1e215d74d8cb6f01729855c1dbd8f4
SHA256

43d9426874eea0bb56c3feac25d20bc35fb3ddaa9447e1ca5f0ba3de1d194382
SHA512

e60b8d2ffebb9bbb27c31b52b0d6c597e0a72486a7865ecee84b40a84f8e9e102353990314d28cf01227a30c5fc3c1f407f38c95c68ec69ca075549dc9ce2085
SSDEEP

6144:F5GZq/Z1IVfA1AbKowcNj/CGYSx3YT+tT8:iZGZ05fwcNj/CDYoCV8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4940	USBHelperLauncher.exe

Loads dropped DLL 17 IoCs

pid	Process
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
3404	USBHelperInstaller.exe
4940	USBHelperLauncher.exe
4940	USBHelperLauncher.exe
4940	USBHelperLauncher.exe
4940	USBHelperLauncher.exe
4940	USBHelperLauncher.exe
4940	USBHelperLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4940	USBHelperLauncher.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	USBHelperLauncher.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4940	3404	USBHelperInstaller.exe	75
PID 3404 wrote to memory of 4940	3404	USBHelperInstaller.exe	75
PID 3404 wrote to memory of 4940	3404	USBHelperInstaller.exe	75

C:\Users\Admin\AppData\Local\Temp\USBHelperInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\USBHelperInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Roaming\USBHelperLauncher\USBHelperLauncher.exe
  "C:\Users\Admin\AppData\Roaming\USBHelperLauncher\USBHelperLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscB344.tmp\modern-wizard.bmp

Filesize
150KB

MD5
458552fed1b2fb2bea3a5c91a120bc33

SHA1
9019e3c885f8451806bb3efd8771a318e3519256

SHA256
b64bc9e71a594bddcec7517f7ec95da74fd1375443cd80be4d98d61b0453d03a

SHA512
969b6cace5383f2aeaf4805a27564efc583524949686d5bf4908660a3bea991e2bb6b1c6aa8bcde48bb0349b53131757664a6aba9f5e9162385f6cfa63cf0075

Download Submit
C:\Users\Admin\AppData\Roaming\USBHelperLauncher\FiddlerCore.dll

Filesize
663KB

MD5
c07eca5cb5fe1d503324de7aa1e7f8d8

SHA1
f022f1629b2fb3dff833d0c3323040c5d6ca3221

SHA256
812d222dfef338f679a78a6012e7f607658d964be431922385306844ed689481

SHA512
3cabc3d8314aeb8f4a14cf7aecb7a2fe1be9aa3d867719cc99bc351fbe57ec9ce3c439f998ae26bff32775536d05e6d072f1db6c6bc105264d4a128994b895e2

Download Submit
C:\Users\Admin\AppData\Roaming\USBHelperLauncher\Newtonsoft.Json.dll

Filesize
638KB

MD5
f33cbe589b769956284868104686cc2d

SHA1
2fb0be100de03680fc4309c9fa5a29e69397a980

SHA256
973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278

SHA512
ffd65f6487bc71c967abcf90a666080c67b8db010d5282d2060c9d87a9828519a14f5d3a6fe76d81e1d3251c2104a2e9e6186af0effd5f331b1342682811ebf4

Download Submit
C:\Users\Admin\AppData\Roaming\USBHelperLauncher\USBHelperLauncher.exe

Filesize
1.0MB

MD5
8f70d1ff80cc4bd5046486699f3e7dbd

SHA1
cb3f1171853b740abdb2216c88588d15dee854f5

SHA256
6095064686dbeab5b9efcb77830030e201456412083be3d66bb7715c89d22d2e

SHA512
29209657e8af3c28f6f9a0ed198b5a799ddef92e346f97995bf1e66d23f997be1e400db96ef7924dfcffc4a2b5c410835a5c6c7277f99e635efa916806976a5e

Download Submit
C:\Users\Admin\AppData\Roaming\USBHelperLauncher\USBHelperLauncher.exe.config

Filesize
462B

MD5
d4a415930c5332d740d7988507bb8760

SHA1
1bd929c20ce81d353c49e76f8d34d21de3cb7ca3

SHA256
17e66105c110625c72f0d3c97190c2a140c0731ef90573e9338c242416d7c1c1

SHA512
fd0e26edaf0b50233c4260242e17e24d7ffc1910fedb15429c12bfd5db2cbe1debcf8306bc26175d50ab0517c5cb0443da6b271c7e56b8dc567e893ab06a7ccf

Download Submit
C:\Users\Admin\AppData\Roaming\USBHelperLauncher\images\3ds\icons\000400000005B100.png

Filesize
1KB

MD5
1ffea73652eb0f2aad2ab59fdf128174

SHA1
08e992b3f695a92fb608c654b0e002f63ae1c699

SHA256
9d89acb30fad432b64c6b945f419b17d452b1b323fdfca1ddaf511798cc45571

SHA512
57d190f31a5c486e3bc942e6a6079fb57767875c1733d1c5de54ab1f80b2e16b98f092a124f802a0712635f260c15cf77554a0cbcd3ac9d6a0553aeca15e9d97

Download Submit
C:\Users\Admin\AppData\Roaming\USBHelperLauncher\images\3ds\icons\00040000000A3D00.png

Filesize
4KB

MD5
1fb7a8746addc58f0b576ed6166a3109

SHA1
31a5ecb55a83f274365794ad85f3c3a32544b9f8

SHA256
dc6368f12f262d2f50638d7fd6658bfe4eba3011a94d7a0f0ea1d202636a6d87

SHA512
4ad404c163caf4e9b0ee03923310887bb195d27ceeb6006e25cb22c8c422502838f7022f2613e5cfd13e5d667563d4df742bb55395911809e92f8648b4fb5a61

Download Submit
\Users\Admin\AppData\Local\Temp\nscB344.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nscB344.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nscB344.tmp\nsArray.dll

Filesize
12KB

MD5
0917ee492308b691326e6581e8c793c9

SHA1
ff689c8051ffca7657461ac828bc46e303ab8e59

SHA256
81745087f193b6fa131189f4b3ee9caa93e9692e408d3955fbcb9a4ec8516e2f

SHA512
2a4ae4b93b0eac113a0e65f459798466120f1af4605a82a11f9022d790fe0b4f7d368b312f8a073b1dcfe8760e529ea56a5b5d4289321dc9f2fc8a22691b42b5

Download Submit
\Users\Admin\AppData\Local\Temp\nscB344.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab101f38562c8545a641e95172c354b4

SHA1
ec47ac5449f6ee4b14f6dd7ddde841a3e723e567

SHA256
3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea

SHA512
72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

Download Submit
\Users\Admin\AppData\Local\Temp\nscB344.tmp\nsJSON.dll

Filesize
22KB

MD5
c8222584e91b74c47f5ce2a84d1cdc4f

SHA1
750359dd536c840b1d4016826af7f34a8562e242

SHA256
6785ab17a6c27be18072aa1c274078321b4ea27bfa752d3c882ec3093dc4637b

SHA512
a89f0083c791e7d4d54fd728e848e44bd44ef9e11c799a48ab95a48d3c4e02e68699e28818c1232b694120973ac0c3e418740759830ef70d328d7ef9e5789f51

Download Submit
\Users\Admin\AppData\Local\Temp\nscB344.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
\Users\Admin\AppData\Local\Temp\nscB344.tmp\xml.dll

Filesize
118KB

MD5
42df1fbaa87567adf2b4050805a1a545

SHA1
b892a6efbb39b7144248e0c0d79e53da474a9373

SHA256
e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845

SHA512
4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

Download Submit
\Users\Admin\AppData\Roaming\USBHelperLauncher\USBHelperInjector.dll

Filesize
345KB

MD5
6fdc30f67fe4ad3dc1c1f25e6d91e0e6

SHA1
8fd1daff6ac36db310e8c6dfad31def54d59c375

SHA256
b3322e41f4402149ff59fed7b38b26eafc174ae9eb299bf1ede270281be8e17f

SHA512
a44102d331c8b960778a3c28b8515e60e360d443f12523a21606be08bae37688863514db0659397ca39c2b3f5827179db08b27785919ff2e1a0f949d5c3c8152

Download Submit
memory/4940-852-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/4940-858-0x0000000005600000-0x00000000056AC000-memory.dmp

Filesize
688KB

Download
memory/4940-859-0x0000000006030000-0x000000000652E000-memory.dmp

Filesize
5.0MB

Download
memory/4940-863-0x0000000005BD0000-0x0000000005C2C000-memory.dmp

Filesize
368KB

Download
memory/4940-854-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/4940-867-0x0000000005CE0000-0x0000000005D86000-memory.dmp

Filesize
664KB

Download
memory/4940-853-0x0000000000C50000-0x0000000000D5C000-memory.dmp

Filesize
1.0MB

Download
memory/4940-868-0x0000000005CA0000-0x0000000005D52000-memory.dmp

Filesize
712KB

Download
memory/4940-869-0x0000000005DF0000-0x0000000005E82000-memory.dmp

Filesize
584KB

Download
memory/4940-870-0x0000000006B40000-0x0000000007146000-memory.dmp

Filesize
6.0MB

Download
memory/4940-871-0x0000000006570000-0x0000000006592000-memory.dmp

Filesize
136KB

Download
memory/4940-872-0x00000000065A0000-0x00000000068F0000-memory.dmp

Filesize
3.3MB

Download