fcc4b5aae15a02561d00036c6924011e45acefb0eccbcd4c88ec1c9e7bd04821

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812ecd245c7309exeexeexeex.exe
Size

56KB
MD5

812ecd245c7309f4b12a403d42f754c5
SHA1

f34ad5dd0ab7ce4de779f8e7ce5066975f9ef6a4
SHA256

fcc4b5aae15a02561d00036c6924011e45acefb0eccbcd4c88ec1c9e7bd04821
SHA512

db84c03a4c4badef841729d06f6ceeecec4a3f554a60b48d7c50eb6c2a866cd32f8d8f9405cc0b4146af20c0d2720b2458e5803b1bbdf0099f339f90542328c6
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzp0oj67Jg:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	812ecd245c7309exeexeexeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 4704	1276	812ecd245c7309exeexeexeex.exe	85
PID 1276 wrote to memory of 4704	1276	812ecd245c7309exeexeexeex.exe	85
PID 1276 wrote to memory of 4704	1276	812ecd245c7309exeexeexeex.exe	85

C:\Users\Admin\AppData\Local\Temp\812ecd245c7309exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\812ecd245c7309exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
57KB

MD5
a371a65361464019b7f5fe0215d57706

SHA1
a4bf17e3c5838fac49bf0b3afb194127180a04b4

SHA256
117bfc74606d03ef7797499a0e57ee25cd64100815f9a5d9604f5761bcfa745f

SHA512
e7e8ef07f31ef9e5e0701fc4359ef7341b11150ebd38d279f63855076e2a1b22788aa46e221f13b352ef2d085852a6a16692a8d7c9aa94dd3f96f6e9c4a17869

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
57KB

MD5
a371a65361464019b7f5fe0215d57706

SHA1
a4bf17e3c5838fac49bf0b3afb194127180a04b4

SHA256
117bfc74606d03ef7797499a0e57ee25cd64100815f9a5d9604f5761bcfa745f

SHA512
e7e8ef07f31ef9e5e0701fc4359ef7341b11150ebd38d279f63855076e2a1b22788aa46e221f13b352ef2d085852a6a16692a8d7c9aa94dd3f96f6e9c4a17869

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
57KB

MD5
a371a65361464019b7f5fe0215d57706

SHA1
a4bf17e3c5838fac49bf0b3afb194127180a04b4

SHA256
117bfc74606d03ef7797499a0e57ee25cd64100815f9a5d9604f5761bcfa745f

SHA512
e7e8ef07f31ef9e5e0701fc4359ef7341b11150ebd38d279f63855076e2a1b22788aa46e221f13b352ef2d085852a6a16692a8d7c9aa94dd3f96f6e9c4a17869

Download Submit
memory/1276-133-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/1276-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download