42d6638f12c8316392fd9e0d0a1c34ac1336d9019d937ab78fd5274df95b30de

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abb6192a527cafexeexeexeex.exe
Size

63KB
MD5

abb6192a527caf77089d3132f0e0b80c
SHA1

c0cddc03d33a9de5d44dd5e3b87c9953fcda0bf6
SHA256

42d6638f12c8316392fd9e0d0a1c34ac1336d9019d937ab78fd5274df95b30de
SHA512

0a869c7f93111d665102fe1350f2f5cb3511170f14114c0a395e0b3b92fe0be17ceb219eee2a91080a239f4bb2a6f7ca74ebe2c72a2059e8adc76bd4bd514816
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xo3/nyxV21iqn:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7J

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	abb6192a527cafexeexeexeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2096	1368	abb6192a527cafexeexeexeex.exe	83
PID 1368 wrote to memory of 2096	1368	abb6192a527cafexeexeexeex.exe	83
PID 1368 wrote to memory of 2096	1368	abb6192a527cafexeexeexeex.exe	83

C:\Users\Admin\AppData\Local\Temp\abb6192a527cafexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\abb6192a527cafexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
64KB

MD5
17a90239a6f240966fd22ce104cdbf96

SHA1
5699a905dde1a754d861ed205538b28f41387abd

SHA256
e8c562d93712dc4faa807d98be203e0e0a185d26cbe02b16eb7509b36208d25d

SHA512
db1f86da1e1aa2cb0d299bfed4a6a767ea96f3e7321b6b46c8fb5a7431a9c62675df1d26d75c2e9aece2e3215224b801900837ce039c79f9b4a7975c12baa85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
64KB

MD5
17a90239a6f240966fd22ce104cdbf96

SHA1
5699a905dde1a754d861ed205538b28f41387abd

SHA256
e8c562d93712dc4faa807d98be203e0e0a185d26cbe02b16eb7509b36208d25d

SHA512
db1f86da1e1aa2cb0d299bfed4a6a767ea96f3e7321b6b46c8fb5a7431a9c62675df1d26d75c2e9aece2e3215224b801900837ce039c79f9b4a7975c12baa85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
64KB

MD5
17a90239a6f240966fd22ce104cdbf96

SHA1
5699a905dde1a754d861ed205538b28f41387abd

SHA256
e8c562d93712dc4faa807d98be203e0e0a185d26cbe02b16eb7509b36208d25d

SHA512
db1f86da1e1aa2cb0d299bfed4a6a767ea96f3e7321b6b46c8fb5a7431a9c62675df1d26d75c2e9aece2e3215224b801900837ce039c79f9b4a7975c12baa85d

Download Submit
memory/1368-133-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/1368-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download