047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 14:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2.exe
Size

23KB
MD5

0a33b212e6e56c8bfc27d262ce6566d0
SHA1

e826d2f22de8efd57cc92cde652c9f9de4ff7c67
SHA256

047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2
SHA512

3bf80186665cba460d46f96f8f4d35ff0de19a8d78664814d0cae0ea435d78124eb91f632bb04abecfb84650f20401847849fa3c95ceccd0989d69f7472e1576
SSDEEP

384:LnK3FwyIzA8750vxrklCKj75b/TY943eNYyAFjpRn4W2ffn5sUN:jK3CAe0vxrkl71b/s94qY3FjH4B5sUN

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
260	budha.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 260	2884	047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2.exe	83
PID 2884 wrote to memory of 260	2884	047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2.exe	83
PID 2884 wrote to memory of 260	2884	047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2.exe	83

C:\Users\Admin\AppData\Local\Temp\047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2.exe
"C:\Users\Admin\AppData\Local\Temp\047f254f302501fff58b4d20d36e4fcd023e93a7d42765f522e957b41559f4e2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
24KB

MD5
e2c0420e21d16f67b3e4da0f0b9a1889

SHA1
93fba71831517c658e1fcaf3ad95eea29e6c47c7

SHA256
f0b1f0aa78bd09afe3a5f80f4e080b00ed2d65e1a5507ac5e2b502581bb624c0

SHA512
2319a5c2a1798911545ac96d376fb5f4cbb39e23ca58a3eed4cb7fee33e902b1d521c8489469eb12381c0403b2da274968bf7ae9e375ec2134efb43f906793f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
24KB

MD5
e2c0420e21d16f67b3e4da0f0b9a1889

SHA1
93fba71831517c658e1fcaf3ad95eea29e6c47c7

SHA256
f0b1f0aa78bd09afe3a5f80f4e080b00ed2d65e1a5507ac5e2b502581bb624c0

SHA512
2319a5c2a1798911545ac96d376fb5f4cbb39e23ca58a3eed4cb7fee33e902b1d521c8489469eb12381c0403b2da274968bf7ae9e375ec2134efb43f906793f4

Download Submit
memory/260-137-0x00000000025C0000-0x00000000029C0000-memory.dmp

Filesize
4.0MB

Download
memory/260-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2884-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2884-133-0x0000000002600000-0x0000000002A00000-memory.dmp

Filesize
4.0MB

Download