Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2023, 11:44
Static task
static1
Behavioral task
behavioral1
Sample
abb6192a527cafexeexeexeex.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
abb6192a527cafexeexeexeex.exe
Resource
win10v2004-20230703-en
General
-
Target
abb6192a527cafexeexeexeex.exe
-
Size
63KB
-
MD5
abb6192a527caf77089d3132f0e0b80c
-
SHA1
c0cddc03d33a9de5d44dd5e3b87c9953fcda0bf6
-
SHA256
42d6638f12c8316392fd9e0d0a1c34ac1336d9019d937ab78fd5274df95b30de
-
SHA512
0a869c7f93111d665102fe1350f2f5cb3511170f14114c0a395e0b3b92fe0be17ceb219eee2a91080a239f4bb2a6f7ca74ebe2c72a2059e8adc76bd4bd514816
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xo3/nyxV21iqn:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7J
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation abb6192a527cafexeexeexeex.exe Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 2096 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2096 1368 abb6192a527cafexeexeexeex.exe 83 PID 1368 wrote to memory of 2096 1368 abb6192a527cafexeexeexeex.exe 83 PID 1368 wrote to memory of 2096 1368 abb6192a527cafexeexeexeex.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb6192a527cafexeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\abb6192a527cafexeexeexeex.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2096
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD517a90239a6f240966fd22ce104cdbf96
SHA15699a905dde1a754d861ed205538b28f41387abd
SHA256e8c562d93712dc4faa807d98be203e0e0a185d26cbe02b16eb7509b36208d25d
SHA512db1f86da1e1aa2cb0d299bfed4a6a767ea96f3e7321b6b46c8fb5a7431a9c62675df1d26d75c2e9aece2e3215224b801900837ce039c79f9b4a7975c12baa85d
-
Filesize
64KB
MD517a90239a6f240966fd22ce104cdbf96
SHA15699a905dde1a754d861ed205538b28f41387abd
SHA256e8c562d93712dc4faa807d98be203e0e0a185d26cbe02b16eb7509b36208d25d
SHA512db1f86da1e1aa2cb0d299bfed4a6a767ea96f3e7321b6b46c8fb5a7431a9c62675df1d26d75c2e9aece2e3215224b801900837ce039c79f9b4a7975c12baa85d
-
Filesize
64KB
MD517a90239a6f240966fd22ce104cdbf96
SHA15699a905dde1a754d861ed205538b28f41387abd
SHA256e8c562d93712dc4faa807d98be203e0e0a185d26cbe02b16eb7509b36208d25d
SHA512db1f86da1e1aa2cb0d299bfed4a6a767ea96f3e7321b6b46c8fb5a7431a9c62675df1d26d75c2e9aece2e3215224b801900837ce039c79f9b4a7975c12baa85d