2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe
Size

19KB
MD5

91d29d6ad3c7732866e720da74201240
SHA1

9f0989692e0fa18166896d59e34192f68cc427fd
SHA256

2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e
SHA512

a8890dfa4b01226fcc9285c3755bd9138d15d5d21fe929a7839727dcf5adec1d81b0a687b1614f2b51a008620b74f3d3e79481c4239fb7b103cfbbd62134c7dd
SSDEEP

384:rlVIseiZokXecT58ewWdFeFmOniCyweCvklV4h0uNWi:rlSseUokuc3jJX94uuAi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1688	2032	2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe	27
PID 2032 wrote to memory of 1688	2032	2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe	27
PID 2032 wrote to memory of 1688	2032	2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe	27
PID 2032 wrote to memory of 1688	2032	2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe	27

C:\Users\Admin\AppData\Local\Temp\2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe
"C:\Users\Admin\AppData\Local\Temp\2a95aa74af846a78b9fcb00de2683d20fbb1cd25c957739e5c9511fd3581c69e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
19KB

MD5
5c24c3ac59878084ed9ee08f40eb0233

SHA1
19b66cfe95f1031d6e5ea1986cdbb06a2ad9b1f2

SHA256
b41039a8eac716e62c5a890e750944d8e6ed8a525d1906d81a4332a1ebd81da1

SHA512
f8722ffc18d7fb96dfcf7248eb168b758cfc66a617c378e7de85614a239643360325e1c21dc3cc429e0a435bc07f3ab7c29bf3c629f80d92fb853360e0f75bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
19KB

MD5
5c24c3ac59878084ed9ee08f40eb0233

SHA1
19b66cfe95f1031d6e5ea1986cdbb06a2ad9b1f2

SHA256
b41039a8eac716e62c5a890e750944d8e6ed8a525d1906d81a4332a1ebd81da1

SHA512
f8722ffc18d7fb96dfcf7248eb168b758cfc66a617c378e7de85614a239643360325e1c21dc3cc429e0a435bc07f3ab7c29bf3c629f80d92fb853360e0f75bf3

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
19KB

MD5
5c24c3ac59878084ed9ee08f40eb0233

SHA1
19b66cfe95f1031d6e5ea1986cdbb06a2ad9b1f2

SHA256
b41039a8eac716e62c5a890e750944d8e6ed8a525d1906d81a4332a1ebd81da1

SHA512
f8722ffc18d7fb96dfcf7248eb168b758cfc66a617c378e7de85614a239643360325e1c21dc3cc429e0a435bc07f3ab7c29bf3c629f80d92fb853360e0f75bf3

Download Submit
memory/1688-62-0x0000000001CE0000-0x0000000001CE7000-memory.dmp

Filesize
28KB

Download
memory/1688-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-59-0x0000000001D20000-0x0000000001D27000-memory.dmp

Filesize
28KB

Download