253de8145c186c3d3ff60304eab1f23f4fdd50eb38a212c94847578226af433c

Analysis

Target

080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe
Size

1005KB
MD5

9c7795073fe543136748180a9d22abec
SHA1

3b1ffb90e59e01d33444ca5516321cebd55a2e7c
SHA256

080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5
SHA512

363dd2f8775b766fcf14f5aa629dbb36e169d45bf0091814ad3ed0f5d0a787a3eb35758eef3bfd55325eabcf7576f3bd009e7408d17b4569d1ea92d3db9a746f

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

2832 budha.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2832	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe

description	pid	process	target process
PID 1032 wrote to memory of 2832	1032	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe	budha.exe
PID 1032 wrote to memory of 2832	1032	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe	budha.exe
PID 1032 wrote to memory of 2832	1032	080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe
"C:\Users\Admin\AppData\Local\Temp\080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:2832

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\budha.exe
MD5
2f3d2a9aa670513ffec1d13e24554649

SHA1
e43ece602174a5ba250f0aca3ff6faf27450a19e

SHA256
8a942e73acadc477d2aa5d419accd1cd2e933355abb2b972f1085da37e8ddba5

SHA512
0e94a1202dbece5db1018b7fe81edbe692ffa7e2f171c05f6b5099b9a0706f94ea0b942184c9982216f2779a93e8fb5c1b290a0e632bac5118e83f411e2a5659

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe
MD5
2f3d2a9aa670513ffec1d13e24554649

SHA1
e43ece602174a5ba250f0aca3ff6faf27450a19e

SHA256
8a942e73acadc477d2aa5d419accd1cd2e933355abb2b972f1085da37e8ddba5

SHA512
0e94a1202dbece5db1018b7fe81edbe692ffa7e2f171c05f6b5099b9a0706f94ea0b942184c9982216f2779a93e8fb5c1b290a0e632bac5118e83f411e2a5659

Download Submit
memory/1032-5-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1032-6-0x0000000002610000-0x0000000002A10000-memory.dmp

Filesize
4.0MB

Download
memory/2832-2-0x0000000000000000-mapping.dmp

Download
memory/2832-7-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2832-8-0x0000000002530000-0x0000000002930000-memory.dmp

Filesize
4.0MB

Download