475016109cacedee9becb5068e8deb3d91342cf21f99d52ae27787dd9e35d039

Analysis

max time kernel
140s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ee73596f0db4fd7c47e26c0c72470ae0.exe
Size

32KB
MD5

ee73596f0db4fd7c47e26c0c72470ae0
SHA1

9452944f345625683a7260c080c08a8631b98b92
SHA256

475016109cacedee9becb5068e8deb3d91342cf21f99d52ae27787dd9e35d039
SHA512

c2cc54769855c2f8954d8773fb2ae77e201e755087930a6de3689052f5314435cec8cad0316a09cbaaffce84fc34a41b4e867b7db30e3010113d206aaaeb69a7
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGp/YIm7xl:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ee73596f0db4fd7c47e26c0c72470ae0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
4120	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4120	4216	ee73596f0db4fd7c47e26c0c72470ae0.exe	97
PID 4216 wrote to memory of 4120	4216	ee73596f0db4fd7c47e26c0c72470ae0.exe	97
PID 4216 wrote to memory of 4120	4216	ee73596f0db4fd7c47e26c0c72470ae0.exe	97

C:\Users\Admin\AppData\Local\Temp\ee73596f0db4fd7c47e26c0c72470ae0.exe
"C:\Users\Admin\AppData\Local\Temp\ee73596f0db4fd7c47e26c0c72470ae0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4484 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
33KB

MD5
05e6b36255662204df3d341e44a15ea0

SHA1
a6f30ec693d84b77ab0e36046db296964eba3890

SHA256
77caf1e0a6a1417b507d3b7d2efdcdedc7953200b8fed9e3604b9f94c3d7bb9f

SHA512
115a23a42e6339412cc6c0172c12876c7bc6c8c9ed786a081aeccbc8400bb45ab321376f9720bbac9dc23c136b71de89a11d28270343f1f7ef168086a7179a61

Download Submit
memory/4120-20-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download
memory/4216-0-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4216-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4216-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download