Analysis
-
max time kernel
69s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe
Resource
win10v2004-20220722-en
General
-
Target
73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe
-
Size
29KB
-
MD5
5663ffc39db0dc4db347f445d1ea8b14
-
SHA1
6fc9e7f024ca824ae533aac845d56dca2f2c23fd
-
SHA256
73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a
-
SHA512
9c443603b4fa68842d6b07e330868caa03314b3d1fa76dceb8de636f60547d61d0b85db10b35a71c51ee3ddaa2cf15ac31dd3dc32cf16f12e109661ed6123d1a
Malware Config
Signatures
-
suricata: ET MALWARE Common Upatre Header Structure 2
suricata: ET MALWARE Common Upatre Header Structure 2
-
suricata: ET MALWARE Downloader (P2P Zeus dropper UA)
suricata: ET MALWARE Downloader (P2P Zeus dropper UA)
-
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 968 budha.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exedescription pid process target process PID 2548 wrote to memory of 968 2548 73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe budha.exe PID 2548 wrote to memory of 968 2548 73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe budha.exe PID 2548 wrote to memory of 968 2548 73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe"C:\Users\Admin\AppData\Local\Temp\73ce7739313a6223e66ebcecb1ab11405e8b9d48d3594c34ab97fefed5322d8a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\budha.exeFilesize
30KB
MD510b18ff450a41b41082fd2e88c6a2dbe
SHA1c7e9a1cfb20ba9ef0cf3ded0230a0379014b5452
SHA256d28d0ddd1d6f1657fab0e8e18e99a65ca292dab68dfa3e87c509b0b2dfd8993a
SHA5124231b45c37e21aa8b3a5ca7f21e64e740335addd1d85213a41b53338594f2e84217a717dddd9eaa880d647e65483a911e9a53c39abc654d304d3c917a4405594
-
C:\Users\Admin\AppData\Local\Temp\budha.exeFilesize
30KB
MD510b18ff450a41b41082fd2e88c6a2dbe
SHA1c7e9a1cfb20ba9ef0cf3ded0230a0379014b5452
SHA256d28d0ddd1d6f1657fab0e8e18e99a65ca292dab68dfa3e87c509b0b2dfd8993a
SHA5124231b45c37e21aa8b3a5ca7f21e64e740335addd1d85213a41b53338594f2e84217a717dddd9eaa880d647e65483a911e9a53c39abc654d304d3c917a4405594
-
memory/968-132-0x0000000000000000-mapping.dmp