edb81fb6bc2cd5b8d32e0e8389d36e2e5acc9de7c97f898036731f06e7bad979

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d19312ee85bd12exeexeexeex.exe
Size

42KB
MD5

d19312ee85bd1234950bac0c5ba1e894
SHA1

eda2ad1051c2f656411c47bee5727ef347fbb81e
SHA256

edb81fb6bc2cd5b8d32e0e8389d36e2e5acc9de7c97f898036731f06e7bad979
SHA512

abb42a90d13c496b9866122c26f084cafae853f8b6429c112be00124bcaa61a7bfc8ceca1f17002fa2badfccbe8ac2bdc00b8d07840e028d554fbbbdb94dfc19
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3KxG:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	d19312ee85bd12exeexeexeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
4888	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4888	372	d19312ee85bd12exeexeexeex.exe	84
PID 372 wrote to memory of 4888	372	d19312ee85bd12exeexeexeex.exe	84
PID 372 wrote to memory of 4888	372	d19312ee85bd12exeexeexeex.exe	84

C:\Users\Admin\AppData\Local\Temp\d19312ee85bd12exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d19312ee85bd12exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
42KB

MD5
41d38f31bce6e04f6432f6c1178d5b57

SHA1
9b01ff342c14b85bc823f02a8e3555e0cd043fff

SHA256
74325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e

SHA512
c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
42KB

MD5
41d38f31bce6e04f6432f6c1178d5b57

SHA1
9b01ff342c14b85bc823f02a8e3555e0cd043fff

SHA256
74325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e

SHA512
c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
42KB

MD5
41d38f31bce6e04f6432f6c1178d5b57

SHA1
9b01ff342c14b85bc823f02a8e3555e0cd043fff

SHA256
74325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e

SHA512
c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036

Download Submit
memory/372-133-0x0000000002260000-0x0000000002266000-memory.dmp

Filesize
24KB

Download
memory/372-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download