20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe
Size

21KB
MD5

0ddea98b3954f7b9f85a739c1ce2962a
SHA1

72e28564edc89135668ad22fea1aadba28000e38
SHA256

20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a
SHA512

d33ef37c9084f49166832f6a495646f31230a2791b4429d5186e72c2f67009844d89014a2fc1d0e7b8256c20aec1761f53bbb153561371baa3967dd75caac915
SSDEEP

384:qfRJYAySsaRbAEJb/0rZRwZBgs3CVyu850fEvkjzJYFedvKUm4N:qfRygBbJj0dRwzgvysfjEe4C

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1720	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1720	1708	20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe	26
PID 1708 wrote to memory of 1720	1708	20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe	26
PID 1708 wrote to memory of 1720	1708	20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe	26
PID 1708 wrote to memory of 1720	1708	20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe	26

C:\Users\Admin\AppData\Local\Temp\20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe
"C:\Users\Admin\AppData\Local\Temp\20391c386a164399d2d5f3f6d2e3cf3044363ae0086a10a09c7d73601cffd21a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
22KB

MD5
a8ba480f28445d0c1f35f691ffa777da

SHA1
5f31a3b4783664688059244297dfe179d6a3771a

SHA256
6d7bd58a59c85e36e3bc844f10be561c22e5c117662a1368a1a6b4bab502a374

SHA512
b268253bad7ee0885516efb75c45fe42dd196248a19c8bffe7f928186d5c0ab543277c3a9131aeef65fcec4c14839bd045c1b9e2717a984090a4dfc3b97be787

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
22KB

MD5
a8ba480f28445d0c1f35f691ffa777da

SHA1
5f31a3b4783664688059244297dfe179d6a3771a

SHA256
6d7bd58a59c85e36e3bc844f10be561c22e5c117662a1368a1a6b4bab502a374

SHA512
b268253bad7ee0885516efb75c45fe42dd196248a19c8bffe7f928186d5c0ab543277c3a9131aeef65fcec4c14839bd045c1b9e2717a984090a4dfc3b97be787

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
22KB

MD5
a8ba480f28445d0c1f35f691ffa777da

SHA1
5f31a3b4783664688059244297dfe179d6a3771a

SHA256
6d7bd58a59c85e36e3bc844f10be561c22e5c117662a1368a1a6b4bab502a374

SHA512
b268253bad7ee0885516efb75c45fe42dd196248a19c8bffe7f928186d5c0ab543277c3a9131aeef65fcec4c14839bd045c1b9e2717a984090a4dfc3b97be787

Download Submit
memory/1708-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1708-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-56-0x0000000001BD0000-0x0000000001BD7000-memory.dmp

Filesize
28KB

Download
memory/1720-62-0x0000000001CE0000-0x0000000001CE7000-memory.dmp

Filesize
28KB

Download
memory/1720-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1720-64-0x0000000001CE0000-0x0000000001CE7000-memory.dmp

Filesize
28KB

Download