253de8145c186c3d3ff60304eab1f23f4fdd50eb38a212c94847578226af433c

Analysis

max time kernel
135s
max time network
140s
platform
windows7_x64
resource
win7v20201028
submitted
15-03-2021 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe
Size

1005KB
MD5

9c7795073fe543136748180a9d22abec
SHA1

3b1ffb90e59e01d33444ca5516321cebd55a2e7c
SHA256

080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5
SHA512

363dd2f8775b766fcf14f5aa629dbb36e169d45bf0091814ad3ed0f5d0a787a3eb35758eef3bfd55325eabcf7576f3bd009e7408d17b4569d1ea92d3db9a746f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

1264 budha.exe
Loads dropped DLL 1 IoCs

Processes:

080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe

pid process

1616 080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1264	budha.exe

pid	process
1616	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe

description	pid	process	target process
PID 1616 wrote to memory of 1264	1616	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe	budha.exe
PID 1616 wrote to memory of 1264	1616	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe	budha.exe
PID 1616 wrote to memory of 1264	1616	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe	budha.exe
PID 1616 wrote to memory of 1264	1616	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe
"C:\Users\Admin\AppData\Local\Temp\080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe
MD5
2f3d2a9aa670513ffec1d13e24554649

SHA1
e43ece602174a5ba250f0aca3ff6faf27450a19e

SHA256
8a942e73acadc477d2aa5d419accd1cd2e933355abb2b972f1085da37e8ddba5

SHA512
0e94a1202dbece5db1018b7fe81edbe692ffa7e2f171c05f6b5099b9a0706f94ea0b942184c9982216f2779a93e8fb5c1b290a0e632bac5118e83f411e2a5659

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe
MD5
2f3d2a9aa670513ffec1d13e24554649

SHA1
e43ece602174a5ba250f0aca3ff6faf27450a19e

SHA256
8a942e73acadc477d2aa5d419accd1cd2e933355abb2b972f1085da37e8ddba5

SHA512
0e94a1202dbece5db1018b7fe81edbe692ffa7e2f171c05f6b5099b9a0706f94ea0b942184c9982216f2779a93e8fb5c1b290a0e632bac5118e83f411e2a5659

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe
MD5
2f3d2a9aa670513ffec1d13e24554649

SHA1
e43ece602174a5ba250f0aca3ff6faf27450a19e

SHA256
8a942e73acadc477d2aa5d419accd1cd2e933355abb2b972f1085da37e8ddba5

SHA512
0e94a1202dbece5db1018b7fe81edbe692ffa7e2f171c05f6b5099b9a0706f94ea0b942184c9982216f2779a93e8fb5c1b290a0e632bac5118e83f411e2a5659

Download Submit
memory/860-12-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1264-6-0x0000000000000000-mapping.dmp

Download
memory/1264-10-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1264-11-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1616-2-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1616-3-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1616-4-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download