5391070e7ff41bdb5e8370dc9662c877adfe32a1b56a5450d17da73ef95f9c51

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc7ca297a9bfb1exeexeexeex.exe
Size

63KB
MD5

fc7ca297a9bfb1ba15de96fe2340c43e
SHA1

beb4044de73d2ce34fbe922dd69aa9466a653e27
SHA256

5391070e7ff41bdb5e8370dc9662c877adfe32a1b56a5450d17da73ef95f9c51
SHA512

ede12b1046ebaaed114364d2bcfafaa0ded2c832c3fffd13c0a8ca1f44f003c9069babcc43ab504c79c77d34aa1d953a44651a9dc81a8ca9853503e545799e7c
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xo3/nyxV2N:aq7tdgI2MyzNORQtOflIwoHNV2XBFV75

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	fc7ca297a9bfb1exeexeexeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
3124	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3124	3540	fc7ca297a9bfb1exeexeexeex.exe	85
PID 3540 wrote to memory of 3124	3540	fc7ca297a9bfb1exeexeexeex.exe	85
PID 3540 wrote to memory of 3124	3540	fc7ca297a9bfb1exeexeexeex.exe	85

C:\Users\Admin\AppData\Local\Temp\fc7ca297a9bfb1exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fc7ca297a9bfb1exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
63KB

MD5
a227e16a2237cbaa9bcd46f31aa65416

SHA1
516267688fc129c0474e00ac870449ed61c382d6

SHA256
519f0475d35ecdb6ed4703588ff447ed9a7cda6cdc49c6cd91486432cf2219d6

SHA512
3a0b2c0d90f82dc962756d83b629060ff4b0da587306776c93fe9282b1b17319ae34989ffa846c8045436403aa7e5cb42d0eee357de9d6560a9c1480ef925cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
63KB

MD5
a227e16a2237cbaa9bcd46f31aa65416

SHA1
516267688fc129c0474e00ac870449ed61c382d6

SHA256
519f0475d35ecdb6ed4703588ff447ed9a7cda6cdc49c6cd91486432cf2219d6

SHA512
3a0b2c0d90f82dc962756d83b629060ff4b0da587306776c93fe9282b1b17319ae34989ffa846c8045436403aa7e5cb42d0eee357de9d6560a9c1480ef925cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
63KB

MD5
a227e16a2237cbaa9bcd46f31aa65416

SHA1
516267688fc129c0474e00ac870449ed61c382d6

SHA256
519f0475d35ecdb6ed4703588ff447ed9a7cda6cdc49c6cd91486432cf2219d6

SHA512
3a0b2c0d90f82dc962756d83b629060ff4b0da587306776c93fe9282b1b17319ae34989ffa846c8045436403aa7e5cb42d0eee357de9d6560a9c1480ef925cc3

Download Submit
memory/3540-133-0x0000000002260000-0x0000000002266000-memory.dmp

Filesize
24KB

Download
memory/3540-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download