Analysis
-
max time kernel
91s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
7d495052aac7e42df01f5a6cb0a24930N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7d495052aac7e42df01f5a6cb0a24930N.exe
Resource
win10v2004-20240709-en
General
-
Target
7d495052aac7e42df01f5a6cb0a24930N.exe
-
Size
39KB
-
MD5
7d495052aac7e42df01f5a6cb0a24930
-
SHA1
416e46646bb1b399cf196bb104b040eef71de9bc
-
SHA256
4dfa3aa3dc6fffa9ff8ceabe1d8b1e5fdd49d6aaa834838fca252a329c528b7d
-
SHA512
3a55d37a7cfdfd81114a616886ceca5ecee582d21c7c4d1767fdad1bccb12ecfde5db077d77c11e3930e4903aca8372d9e0543483ab7c83b947d69f5c03b29db
-
SSDEEP
768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGp/YIm7wm0Upad:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7d495052aac7e42df01f5a6cb0a24930N.exehurok.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 7d495052aac7e42df01f5a6cb0a24930N.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
Processes:
hurok.exepid process 3084 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7d495052aac7e42df01f5a6cb0a24930N.exehurok.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d495052aac7e42df01f5a6cb0a24930N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hurok.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7d495052aac7e42df01f5a6cb0a24930N.exedescription pid process target process PID 4752 wrote to memory of 3084 4752 7d495052aac7e42df01f5a6cb0a24930N.exe hurok.exe PID 4752 wrote to memory of 3084 4752 7d495052aac7e42df01f5a6cb0a24930N.exe hurok.exe PID 4752 wrote to memory of 3084 4752 7d495052aac7e42df01f5a6cb0a24930N.exe hurok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d495052aac7e42df01f5a6cb0a24930N.exe"C:\Users\Admin\AppData\Local\Temp\7d495052aac7e42df01f5a6cb0a24930N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hurok.exeFilesize
39KB
MD542431181456c66589b0fe0d408aa74c9
SHA112527c07aad3308222b17808bb7daabb4baa673c
SHA2565821819cb2632c7b8af956e8ef46414324d21dbf9d5b56c2d60b98602b752605
SHA5122ffbb51d5e08b86143456d70ebf459d2051bfbf686d77a69ef8cc79f4cb90ce2a5c388ebcd2426f0fe903ac0939de4c3f711a0d7103e9416d850f8e43e4d0eb0
-
memory/3084-25-0x00000000020C0000-0x00000000020C6000-memory.dmpFilesize
24KB
-
memory/4752-0-0x00000000005F0000-0x00000000005F6000-memory.dmpFilesize
24KB
-
memory/4752-1-0x00000000005F0000-0x00000000005F6000-memory.dmpFilesize
24KB
-
memory/4752-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB