Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2023, 16:08 UTC

General

  • Target

    d19312ee85bd12exeexeexeex.exe

  • Size

    42KB

  • MD5

    d19312ee85bd1234950bac0c5ba1e894

  • SHA1

    eda2ad1051c2f656411c47bee5727ef347fbb81e

  • SHA256

    edb81fb6bc2cd5b8d32e0e8389d36e2e5acc9de7c97f898036731f06e7bad979

  • SHA512

    abb42a90d13c496b9866122c26f084cafae853f8b6429c112be00124bcaa61a7bfc8ceca1f17002fa2badfccbe8ac2bdc00b8d07840e028d554fbbbdb94dfc19

  • SSDEEP

    768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3KxG:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xb

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d19312ee85bd12exeexeexeex.exe
    "C:\Users\Admin\AppData\Local\Temp\d19312ee85bd12exeexeexeex.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Local\Temp\hurok.exe
      "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4888

Network

  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gemlttwi.com
    hurok.exe
    Remote address:
    8.8.8.8:53
    Request
    gemlttwi.com
    IN A
    Response
    gemlttwi.com
    IN A
    192.185.35.56
  • flag-us
    GET
    https://gemlttwi.com/tech/2mr.exe
    hurok.exe
    Remote address:
    192.185.35.56:443
    Request
    GET /tech/2mr.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: gemlttwi.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 10 Jul 2023 16:08:29 GMT
    Server: Apache
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Link: <https://gemlttwi.com/wp-json/>; rel="https://api.w.org/"
    Upgrade: h2,h2c
    Connection: Upgrade
    Vary: Accept-Encoding
    X-Endurance-Cache-Level: 2
    X-nginx-cache: WordPress
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    56.35.185.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.35.185.192.in-addr.arpa
    IN PTR
    Response
    56.35.185.192.in-addr.arpa
    IN PTR
    immacbytescom
  • flag-us
    DNS
    101.14.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.14.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    101.15.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.15.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.178.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.178.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    45.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.8.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.121.18.2.in-addr.arpa
    IN PTR
    Response
    69.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-69deploystaticakamaitechnologiescom
  • flag-us
    DNS
    84.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    84.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 192.185.35.56:443
    https://gemlttwi.com/tech/2mr.exe
    tls, http
    hurok.exe
    4.7kB
    115.3kB
    92
    89

    HTTP Request

    GET https://gemlttwi.com/tech/2mr.exe

    HTTP Response

    404
  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    gemlttwi.com
    dns
    hurok.exe
    58 B
    74 B
    1
    1

    DNS Request

    gemlttwi.com

    DNS Response

    192.185.35.56

  • 8.8.8.8:53
    56.35.185.192.in-addr.arpa
    dns
    72 B
    100 B
    1
    1

    DNS Request

    56.35.185.192.in-addr.arpa

  • 8.8.8.8:53
    101.14.18.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    101.14.18.104.in-addr.arpa

  • 8.8.8.8:53
    101.15.18.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    101.15.18.104.in-addr.arpa

  • 8.8.8.8:53
    254.178.238.8.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    254.178.238.8.in-addr.arpa

  • 8.8.8.8:53
    45.8.109.52.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    45.8.109.52.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    69.121.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    69.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    84.65.42.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    84.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hurok.exe

    Filesize

    42KB

    MD5

    41d38f31bce6e04f6432f6c1178d5b57

    SHA1

    9b01ff342c14b85bc823f02a8e3555e0cd043fff

    SHA256

    74325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e

    SHA512

    c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036

  • C:\Users\Admin\AppData\Local\Temp\hurok.exe

    Filesize

    42KB

    MD5

    41d38f31bce6e04f6432f6c1178d5b57

    SHA1

    9b01ff342c14b85bc823f02a8e3555e0cd043fff

    SHA256

    74325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e

    SHA512

    c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036

  • C:\Users\Admin\AppData\Local\Temp\hurok.exe

    Filesize

    42KB

    MD5

    41d38f31bce6e04f6432f6c1178d5b57

    SHA1

    9b01ff342c14b85bc823f02a8e3555e0cd043fff

    SHA256

    74325a720813e28270ee1c03aedf73c3cd0b23988ad2b2d9326777a25db2ad6e

    SHA512

    c3d070e43db73662ef063c9aa3ed5bbdb8aa9c563821de342853707a16b96c7dc27af80647e6543e6292c2c80dd682f268c58a5edbba5233f50b657b3d6b0036

  • memory/372-133-0x0000000002260000-0x0000000002266000-memory.dmp

    Filesize

    24KB

  • memory/372-134-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.