17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 19:19

Target

17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
Size

384KB
MD5

439d4a59b2b1f8daf1e4f8533e7af59e
SHA1

79452ba43ca5aac885ff8875de49b2fb1cea1a2c
SHA256

17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6
SHA512

9df0965ba18ebb0655db4ebab62f37e25720f7aaaf781ee4495dd82f71cbbe80493348ce01c94044dde03b59f674fe75cb440eb6a278bb0f4f98bc351985c541
SSDEEP

6144:InqQjhIlSAzZ02GANJQttkEjiPISUOgW9X+hOGzC/NM:InRbnANJQttkmZzcukG2/

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1388	USLHRBW.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\windows\USLHRBW.exe	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
File created	C:\windows\USLHRBW.exe.bat	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
File created	C:\windows\USLHRBW.exe	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
1388	USLHRBW.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2212	2204	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe	29
PID 2204 wrote to memory of 2212	2204	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe	29
PID 2204 wrote to memory of 2212	2204	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe	29
PID 2204 wrote to memory of 2212	2204	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe	29
PID 2212 wrote to memory of 1388	2212	cmd.exe	31
PID 2212 wrote to memory of 1388	2212	cmd.exe	31
PID 2212 wrote to memory of 1388	2212	cmd.exe	31
PID 2212 wrote to memory of 1388	2212	cmd.exe	31

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\USLHRBW.exe.bat

Filesize
60B

MD5
a10b53f3f3460da0348afc793858ac85

SHA1
9b6a2e8be85cab3ffebb4890d2369f59d19c83e6

SHA256
04055e0b831cb67ed6dfea499da72972fd38ea65638b839c03ba5c9b2f25cb64

SHA512
18714f8aae5d1bf18cd88c5ab239c8fbae86c8c614b49ea84ad7459faf793c7b4c0132a6d7a621ded441232977032ef2c80aa2b0c17f92e774a96cb7ab8fa132

Download Submit
C:\windows\USLHRBW.exe

Filesize
384KB

MD5
41501d4c1170b7005b53601e10846ae5

SHA1
ef25da75773f830f7df8eb8360721307a90db8d6

SHA256
1c883c4c0fff21c378bea27b0284d08d40bccae757751506ba25f09a8f89f459

SHA512
87e80057b19c09d923250829be1ed2ab2caca959f337d2296cf7839caae710b3ed5ccf3c551708d55744271ea86f799bf433a4addf3eae876f413208ab1902c6

Download Submit
memory/1388-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1388-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2204-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2204-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2212-15-0x0000000000470000-0x00000000004A9000-memory.dmp

Filesize
228KB

Download