5ee0dcc8a5792354c0d03220bb7d8ef57a98b18fbb9313127b94ff7d5d5a2121

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 10:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

65dbc9b1db6d69_JC.exe
Size

54KB
MD5

65dbc9b1db6d6920f3c07cec147bb3bb
SHA1

3184cfcb4c9bca6414dc3737b977b38f38207498
SHA256

5ee0dcc8a5792354c0d03220bb7d8ef57a98b18fbb9313127b94ff7d5d5a2121
SHA512

60ee503f336837eb3210ebc6c487f302fc4205f253c98be05173df2f895c6b210bab637bd1ed4d24e48b8a4ee1763957f427a321d09022a98fcca11dff87b6f1
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzp0ojjl:aq7tdgI2MyzNORQtOflIwoHNV2XBFV74

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	hurok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	65dbc9b1db6d69_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
712	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 712	2912	65dbc9b1db6d69_JC.exe	88
PID 2912 wrote to memory of 712	2912	65dbc9b1db6d69_JC.exe	88
PID 2912 wrote to memory of 712	2912	65dbc9b1db6d69_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\65dbc9b1db6d69_JC.exe
"C:\Users\Admin\AppData\Local\Temp\65dbc9b1db6d69_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
54KB

MD5
048926e3d7938fec935454e11fb2739e

SHA1
08a82ee76e15afb0f0e0a88733afce87cfc3b589

SHA256
af50b79445d35a01b18fc21ba971dbb62b07b5c7a2eb8ea0366660786f06b8ed

SHA512
e7199244c9692192191f97d7a7fa609d4cfc15a03c1f142b6b3894638fd7da8a27fd7c079b66193917fb282ae34b286e18437ff68c7f7ada8786e4eadd6cff8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
54KB

MD5
048926e3d7938fec935454e11fb2739e

SHA1
08a82ee76e15afb0f0e0a88733afce87cfc3b589

SHA256
af50b79445d35a01b18fc21ba971dbb62b07b5c7a2eb8ea0366660786f06b8ed

SHA512
e7199244c9692192191f97d7a7fa609d4cfc15a03c1f142b6b3894638fd7da8a27fd7c079b66193917fb282ae34b286e18437ff68c7f7ada8786e4eadd6cff8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
54KB

MD5
048926e3d7938fec935454e11fb2739e

SHA1
08a82ee76e15afb0f0e0a88733afce87cfc3b589

SHA256
af50b79445d35a01b18fc21ba971dbb62b07b5c7a2eb8ea0366660786f06b8ed

SHA512
e7199244c9692192191f97d7a7fa609d4cfc15a03c1f142b6b3894638fd7da8a27fd7c079b66193917fb282ae34b286e18437ff68c7f7ada8786e4eadd6cff8e

Download Submit
memory/712-155-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download
memory/2912-136-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/2912-137-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/2912-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download