d58dee396c58033639eac1fa445b0958fed8d8f1f76d5c47a70fde5ecd82531e

Analysis

max time kernel
107s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188859372f5be6exeexeexeex.exe
Size

55KB
MD5

188859372f5be61d14d8fd8b83066460
SHA1

62a3643d75904e0b260743818198b854c9b1203a
SHA256

d58dee396c58033639eac1fa445b0958fed8d8f1f76d5c47a70fde5ecd82531e
SHA512

c61ad4bffdd54de8af21620eb2d433dc9be7b82160a1a19809f1f6d408c21b052d91e9a95604ebec136eec1b0a486f6faaf5e5fb4ef1286330f28c49b017b131
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzp0oj67W:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	hurok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	188859372f5be6exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4140	2744	188859372f5be6exeexeexeex.exe	86
PID 2744 wrote to memory of 4140	2744	188859372f5be6exeexeexeex.exe	86
PID 2744 wrote to memory of 4140	2744	188859372f5be6exeexeexeex.exe	86

C:\Users\Admin\AppData\Local\Temp\188859372f5be6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\188859372f5be6exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
56KB

MD5
b5be134f494f6beae04063d2d49a0f6e

SHA1
a0e38a06ca42633e79a386235f0ae77ae3546dcc

SHA256
f6da067d8f6c900fd411c7dcf14663f027f120d001f259cfec24be5bbdc1740a

SHA512
f69cd7b27c548246e276f2ef93516732d1110440ef87d9e536b5950e3e192bfeffabc21bc820be5b527d2fd0006bb064c09f8418b953b6d287f620f509c0693f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
56KB

MD5
b5be134f494f6beae04063d2d49a0f6e

SHA1
a0e38a06ca42633e79a386235f0ae77ae3546dcc

SHA256
f6da067d8f6c900fd411c7dcf14663f027f120d001f259cfec24be5bbdc1740a

SHA512
f69cd7b27c548246e276f2ef93516732d1110440ef87d9e536b5950e3e192bfeffabc21bc820be5b527d2fd0006bb064c09f8418b953b6d287f620f509c0693f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
56KB

MD5
b5be134f494f6beae04063d2d49a0f6e

SHA1
a0e38a06ca42633e79a386235f0ae77ae3546dcc

SHA256
f6da067d8f6c900fd411c7dcf14663f027f120d001f259cfec24be5bbdc1740a

SHA512
f69cd7b27c548246e276f2ef93516732d1110440ef87d9e536b5950e3e192bfeffabc21bc820be5b527d2fd0006bb064c09f8418b953b6d287f620f509c0693f

Download Submit
memory/2744-133-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2744-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download