af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e

Analysis

max time kernel
151s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe
Size

18KB
MD5

63ed355ea9faacc949575918542bc4f3
SHA1

e47160aba7dfde9c0e4ece9539bc134009f1f211
SHA256

af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e
SHA512

cb4abd4e620ebe9914b0d283462378a6804fc9e6274a395bdeb2830cfccdbefb66b21183a467a1de601b5cd311026665d22dea1bf887d7035d50b3ac9a43ad0e
SSDEEP

192:WLg10F61GImYW6D27vjnzro8ZuUCi9DR8vkBDjMns2LmlGxKRqMhSdr6:aga61Kbz0quUZR8vkRuylpRwh6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1136	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1136	1712	af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe	27
PID 1712 wrote to memory of 1136	1712	af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe	27
PID 1712 wrote to memory of 1136	1712	af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe	27
PID 1712 wrote to memory of 1136	1712	af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe	27

C:\Users\Admin\AppData\Local\Temp\af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe
"C:\Users\Admin\AppData\Local\Temp\af4610fa395606506f7149df0cde1a69f1786aea3e5a333b552d8c0b3e31d45e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
18KB

MD5
dcb4710d20aa58855f0752e2cfaee720

SHA1
276c7de9900c57b5e9b9c2f3db79cb8f7dab36f3

SHA256
39495a12f7b571dc047c4a0c508392efc0eed1fbdf322d17be4e1de083407d19

SHA512
06a181a6b29c6821a73c77230e7ead4d4a53a358f26f716c1986174fc9b06b1cdcb39198bd566c72f20d13953670c4b830b127b4b3361c59b0ecc732682422de

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
18KB

MD5
dcb4710d20aa58855f0752e2cfaee720

SHA1
276c7de9900c57b5e9b9c2f3db79cb8f7dab36f3

SHA256
39495a12f7b571dc047c4a0c508392efc0eed1fbdf322d17be4e1de083407d19

SHA512
06a181a6b29c6821a73c77230e7ead4d4a53a358f26f716c1986174fc9b06b1cdcb39198bd566c72f20d13953670c4b830b127b4b3361c59b0ecc732682422de

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
18KB

MD5
dcb4710d20aa58855f0752e2cfaee720

SHA1
276c7de9900c57b5e9b9c2f3db79cb8f7dab36f3

SHA256
39495a12f7b571dc047c4a0c508392efc0eed1fbdf322d17be4e1de083407d19

SHA512
06a181a6b29c6821a73c77230e7ead4d4a53a358f26f716c1986174fc9b06b1cdcb39198bd566c72f20d13953670c4b830b127b4b3361c59b0ecc732682422de

Download Submit
memory/1136-63-0x0000000001EA0000-0x0000000001EA7000-memory.dmp

Filesize
28KB

Download
memory/1136-64-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1136-65-0x0000000001EA0000-0x0000000001EA7000-memory.dmp

Filesize
28KB

Download
memory/1712-54-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1712-55-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1712-60-0x0000000000530000-0x0000000000537000-memory.dmp

Filesize
28KB

Download
memory/1712-59-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download