Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2023, 16:26
Static task
static1
Behavioral task
behavioral1
Sample
812ecd245c7309exeexeexeex.exe
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
812ecd245c7309exeexeexeex.exe
Resource
win10v2004-20230703-en
General
-
Target
812ecd245c7309exeexeexeex.exe
-
Size
56KB
-
MD5
812ecd245c7309f4b12a403d42f754c5
-
SHA1
f34ad5dd0ab7ce4de779f8e7ce5066975f9ef6a4
-
SHA256
fcc4b5aae15a02561d00036c6924011e45acefb0eccbcd4c88ec1c9e7bd04821
-
SHA512
db84c03a4c4badef841729d06f6ceeecec4a3f554a60b48d7c50eb6c2a866cd32f8d8f9405cc0b4146af20c0d2720b2458e5803b1bbdf0099f339f90542328c6
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzp0oj67Jg:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7e
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation 812ecd245c7309exeexeexeex.exe Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 4704 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1276 wrote to memory of 4704 1276 812ecd245c7309exeexeexeex.exe 85 PID 1276 wrote to memory of 4704 1276 812ecd245c7309exeexeexeex.exe 85 PID 1276 wrote to memory of 4704 1276 812ecd245c7309exeexeexeex.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\812ecd245c7309exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\812ecd245c7309exeexeexeex.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4704
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5a371a65361464019b7f5fe0215d57706
SHA1a4bf17e3c5838fac49bf0b3afb194127180a04b4
SHA256117bfc74606d03ef7797499a0e57ee25cd64100815f9a5d9604f5761bcfa745f
SHA512e7e8ef07f31ef9e5e0701fc4359ef7341b11150ebd38d279f63855076e2a1b22788aa46e221f13b352ef2d085852a6a16692a8d7c9aa94dd3f96f6e9c4a17869
-
Filesize
57KB
MD5a371a65361464019b7f5fe0215d57706
SHA1a4bf17e3c5838fac49bf0b3afb194127180a04b4
SHA256117bfc74606d03ef7797499a0e57ee25cd64100815f9a5d9604f5761bcfa745f
SHA512e7e8ef07f31ef9e5e0701fc4359ef7341b11150ebd38d279f63855076e2a1b22788aa46e221f13b352ef2d085852a6a16692a8d7c9aa94dd3f96f6e9c4a17869
-
Filesize
57KB
MD5a371a65361464019b7f5fe0215d57706
SHA1a4bf17e3c5838fac49bf0b3afb194127180a04b4
SHA256117bfc74606d03ef7797499a0e57ee25cd64100815f9a5d9604f5761bcfa745f
SHA512e7e8ef07f31ef9e5e0701fc4359ef7341b11150ebd38d279f63855076e2a1b22788aa46e221f13b352ef2d085852a6a16692a8d7c9aa94dd3f96f6e9c4a17869