51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c

Analysis

max time kernel
22s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe
Size

20KB
MD5

a25e80824a64d7d014271aab082e8250
SHA1

1ba250610e276e5ab57ebac674e035894a4f8980
SHA256

51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c
SHA512

392c250c3498a8b13b83c1196060ac0cfd76fcdc66ded769885638c3c0fe8e1b39c5028bb3d9a6bf2b56794ba7b80f356ec055becf6e21d8a884a12f75140aed
SSDEEP

384:QfGJYAu8BSohFK8raFbW46Uj850fEvkjeJYFfCR2z:QfGy9mvhFZ74XLfEEawz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
612	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
1996	51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 612	1996	51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe	27
PID 1996 wrote to memory of 612	1996	51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe	27
PID 1996 wrote to memory of 612	1996	51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe	27
PID 1996 wrote to memory of 612	1996	51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe	27

C:\Users\Admin\AppData\Local\Temp\51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe
"C:\Users\Admin\AppData\Local\Temp\51751f133ff7a10b1f75e1348b7dce9ba4d5a3ab6086f55d1257163382745c9c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
20KB

MD5
4c67ca28a99447069e4d4b638696af80

SHA1
51a3a81d96a4adb78f8ddeb6dcac4665156c68b9

SHA256
cf440bccc5212279caf966c94928c65d69910f11b78914d9e2da3b256e6bbcec

SHA512
c0d9d1bb18b7ab0a045d0a188f363d18e998323ec515559d0947498dd123dc234097340a2f9e781f3f69dbfafc301a7d427f06a0c1f97c14050c7ba85cbbe0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
20KB

MD5
4c67ca28a99447069e4d4b638696af80

SHA1
51a3a81d96a4adb78f8ddeb6dcac4665156c68b9

SHA256
cf440bccc5212279caf966c94928c65d69910f11b78914d9e2da3b256e6bbcec

SHA512
c0d9d1bb18b7ab0a045d0a188f363d18e998323ec515559d0947498dd123dc234097340a2f9e781f3f69dbfafc301a7d427f06a0c1f97c14050c7ba85cbbe0f0

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
20KB

MD5
4c67ca28a99447069e4d4b638696af80

SHA1
51a3a81d96a4adb78f8ddeb6dcac4665156c68b9

SHA256
cf440bccc5212279caf966c94928c65d69910f11b78914d9e2da3b256e6bbcec

SHA512
c0d9d1bb18b7ab0a045d0a188f363d18e998323ec515559d0947498dd123dc234097340a2f9e781f3f69dbfafc301a7d427f06a0c1f97c14050c7ba85cbbe0f0

Download Submit
memory/612-63-0x0000000001CE0000-0x0000000001CE7000-memory.dmp

Filesize
28KB

Download
memory/612-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1996-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1996-55-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1996-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1996-60-0x0000000001CA0000-0x0000000001CA7000-memory.dmp

Filesize
28KB

Download