Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2023, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
b8133cd23e0339exeexeexeex.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
b8133cd23e0339exeexeexeex.exe
Resource
win10v2004-20230703-en
General
-
Target
b8133cd23e0339exeexeexeex.exe
-
Size
56KB
-
MD5
b8133cd23e0339622a9d309b26fc225e
-
SHA1
e3acd917e320e6f23f89b8a04b2c3b00c9ce5471
-
SHA256
1986f11c4b5a340f414945161f10ee2fea891bf5a51380e5c60198a7fba74fea
-
SHA512
f66806ba460ca66dfafdec5ca5cd648278d532edd4b257aa84601f2e9fa131b06b3c326a2eb081d9dc83f4a8cd143c3a9a98c1c66b05fe0c9aa605d8eca41f9e
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzp0oj67JC:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7U
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation b8133cd23e0339exeexeexeex.exe Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 4588 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3936 wrote to memory of 4588 3936 b8133cd23e0339exeexeexeex.exe 85 PID 3936 wrote to memory of 4588 3936 b8133cd23e0339exeexeexeex.exe 85 PID 3936 wrote to memory of 4588 3936 b8133cd23e0339exeexeexeex.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8133cd23e0339exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\b8133cd23e0339exeexeexeex.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4588
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD57ccc1ae81be8f4553d3563be5534f89e
SHA131e7897bc17d6fdf256cafc3f793a7bd3882ddc4
SHA2564d2b202b232754557b672e3c92c2fbcd33d410268d3dc8ed2720b034496eaca1
SHA512605b3a904aff9ca4a024e5e1c18eaba40c9c23dc64b3cd502c01e1ba34cf3559dd64b66c8bd32060d4d9615e953635abcda11362616c929adea7ae0598ff620c
-
Filesize
57KB
MD57ccc1ae81be8f4553d3563be5534f89e
SHA131e7897bc17d6fdf256cafc3f793a7bd3882ddc4
SHA2564d2b202b232754557b672e3c92c2fbcd33d410268d3dc8ed2720b034496eaca1
SHA512605b3a904aff9ca4a024e5e1c18eaba40c9c23dc64b3cd502c01e1ba34cf3559dd64b66c8bd32060d4d9615e953635abcda11362616c929adea7ae0598ff620c
-
Filesize
57KB
MD57ccc1ae81be8f4553d3563be5534f89e
SHA131e7897bc17d6fdf256cafc3f793a7bd3882ddc4
SHA2564d2b202b232754557b672e3c92c2fbcd33d410268d3dc8ed2720b034496eaca1
SHA512605b3a904aff9ca4a024e5e1c18eaba40c9c23dc64b3cd502c01e1ba34cf3559dd64b66c8bd32060d4d9615e953635abcda11362616c929adea7ae0598ff620c