43cdf3115af291203532ee5b830f5dbf1d7dec693de559a7491827f538efd555

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2a6df014fe06aexeexeexeex.exe
Size

64KB
MD5

b2a6df014fe06af18f5a5bce6243206c
SHA1

f056963beb271258e2baff79ced8cd2e82960066
SHA256

43cdf3115af291203532ee5b830f5dbf1d7dec693de559a7491827f538efd555
SHA512

575313e5b07ba4a0fbca6191d2fd344930fa5863f548807bafe2c40bbf94c831c2fb88b84e52cbd522223f63a583e43c26576e333d361fc633bf176fdcf48535
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xo3/nyxEK:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	b2a6df014fe06aexeexeexeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2124	3192	b2a6df014fe06aexeexeexeex.exe	87
PID 3192 wrote to memory of 2124	3192	b2a6df014fe06aexeexeexeex.exe	87
PID 3192 wrote to memory of 2124	3192	b2a6df014fe06aexeexeexeex.exe	87

C:\Users\Admin\AppData\Local\Temp\b2a6df014fe06aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b2a6df014fe06aexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
64KB

MD5
a352bd8e5bb096c41bff9fe05fc9e477

SHA1
8e01a2cee5f6d39ce30f2ac007313cba8f052fce

SHA256
5571b7e746f11e33e3b8bc0e3365d7d797c04ab39a4dca8875c630263e82f96c

SHA512
3ddc7a3610255bddd7dd6f05e8385735fa4ea3ffbe8728ece3148fec689f6327b4c2b1f9f1b930655f09d63dfb03f38f1fd248b9e46e26a7717909231f04011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
64KB

MD5
a352bd8e5bb096c41bff9fe05fc9e477

SHA1
8e01a2cee5f6d39ce30f2ac007313cba8f052fce

SHA256
5571b7e746f11e33e3b8bc0e3365d7d797c04ab39a4dca8875c630263e82f96c

SHA512
3ddc7a3610255bddd7dd6f05e8385735fa4ea3ffbe8728ece3148fec689f6327b4c2b1f9f1b930655f09d63dfb03f38f1fd248b9e46e26a7717909231f04011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
64KB

MD5
a352bd8e5bb096c41bff9fe05fc9e477

SHA1
8e01a2cee5f6d39ce30f2ac007313cba8f052fce

SHA256
5571b7e746f11e33e3b8bc0e3365d7d797c04ab39a4dca8875c630263e82f96c

SHA512
3ddc7a3610255bddd7dd6f05e8385735fa4ea3ffbe8728ece3148fec689f6327b4c2b1f9f1b930655f09d63dfb03f38f1fd248b9e46e26a7717909231f04011b

Download Submit
memory/3192-133-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/3192-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download