9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c

Analysis

max time kernel
119s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c.exe
Size

18KB
MD5

a39fe220372d51a7dfa8e8034cce37e0
SHA1

834e93b93edd0cdd80f7089d623f87a330d91777
SHA256

9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c
SHA512

f815ad6d34f2d82109fe2f9f4be98f9071a1181b6747a974a08af4bf3856dcfaaceafffdb59283b752613b62cd6688333d385e362265f4d01ae0007fd77c975b
SSDEEP

384:fY/7iMmQgVC+02JWuCSPmSQTebw/UqFPpF5k:y12JTPRQTeZq1S

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3168	budha.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3168	2276	9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c.exe	83
PID 2276 wrote to memory of 3168	2276	9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c.exe	83
PID 2276 wrote to memory of 3168	2276	9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c.exe	83

C:\Users\Admin\AppData\Local\Temp\9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c.exe
"C:\Users\Admin\AppData\Local\Temp\9d277f466918cf3ae3d3559a8fc4398ae99fc09256dbda356e4564c0b183095c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
19KB

MD5
9007951f0bad75da2204abf5959fd7ae

SHA1
2637f1978c9901d6da0f7ec23730c95254e0d097

SHA256
ff7a78f86ad27972bd811cb179bffec56ec35e20d492c7a34fc00c9dc1b794af

SHA512
67f2207c3a7915ea496f467eb0ed4a19d00927b93e4ffd2fbcaf7b26ec158a77d37a23cd60270c86c4e6161727051ce8deb1ba89dab36f3a4c511c4640da8b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
19KB

MD5
9007951f0bad75da2204abf5959fd7ae

SHA1
2637f1978c9901d6da0f7ec23730c95254e0d097

SHA256
ff7a78f86ad27972bd811cb179bffec56ec35e20d492c7a34fc00c9dc1b794af

SHA512
67f2207c3a7915ea496f467eb0ed4a19d00927b93e4ffd2fbcaf7b26ec158a77d37a23cd60270c86c4e6161727051ce8deb1ba89dab36f3a4c511c4640da8b88

Download Submit
memory/2276-132-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2276-133-0x00000000026B0000-0x0000000002AB0000-memory.dmp

Filesize
4.0MB

Download
memory/2276-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3168-138-0x0000000002620000-0x0000000002A20000-memory.dmp

Filesize
4.0MB

Download
memory/3168-139-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download