58b266f3a05c772fef1219b90bbf04005bb2a0bf2895e705fff51d325cfc6333

Analysis

max time kernel
180s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bf938404647d8b925cb7bac8a2a31100.exe
Size

42KB
MD5

bf938404647d8b925cb7bac8a2a31100
SHA1

eb6f3f0303a05df84231e61d8d8b48c8683418e6
SHA256

58b266f3a05c772fef1219b90bbf04005bb2a0bf2895e705fff51d325cfc6333
SHA512

82f56338e3a96a6e0695610d07bc878589b253c6c02fd17617267a7778db85b66ff1685c1e56ccf59134099e2bd7db5df2ae22b4bf39ce2722beb4b7cb6fece6
SSDEEP

384:/opQWRIg8e+6fiXYg2OsalJOmgRIeLgJgokxjBDu+4tBz0clZep9:/0hRvmJOmg6eQgtlCjzzep9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	NEAS.bf938404647d8b925cb7bac8a2a31100.exe

Executes dropped EXE 1 IoCs

pid	Process
952	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 952	3876	NEAS.bf938404647d8b925cb7bac8a2a31100.exe	88
PID 3876 wrote to memory of 952	3876	NEAS.bf938404647d8b925cb7bac8a2a31100.exe	88
PID 3876 wrote to memory of 952	3876	NEAS.bf938404647d8b925cb7bac8a2a31100.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.bf938404647d8b925cb7bac8a2a31100.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bf938404647d8b925cb7bac8a2a31100.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
42KB

MD5
3ee740ae2dfad4948fac2769a25f06d0

SHA1
d8191fed2db80d2f611965a63ea9e3bfb50d6292

SHA256
28267a352059cfe0e216a033cb565d51c4ffe8e81c4700d8228b4a218dce68bc

SHA512
931dc661c044418f9ac9a301f6586361b1807d35541e7a089e79e53d92127f4dc7562e0f66099fe108955bceb5ca1902bb6a6261adb5aaf64ea037448cbb1139

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
42KB

MD5
3ee740ae2dfad4948fac2769a25f06d0

SHA1
d8191fed2db80d2f611965a63ea9e3bfb50d6292

SHA256
28267a352059cfe0e216a033cb565d51c4ffe8e81c4700d8228b4a218dce68bc

SHA512
931dc661c044418f9ac9a301f6586361b1807d35541e7a089e79e53d92127f4dc7562e0f66099fe108955bceb5ca1902bb6a6261adb5aaf64ea037448cbb1139

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
42KB

MD5
3ee740ae2dfad4948fac2769a25f06d0

SHA1
d8191fed2db80d2f611965a63ea9e3bfb50d6292

SHA256
28267a352059cfe0e216a033cb565d51c4ffe8e81c4700d8228b4a218dce68bc

SHA512
931dc661c044418f9ac9a301f6586361b1807d35541e7a089e79e53d92127f4dc7562e0f66099fe108955bceb5ca1902bb6a6261adb5aaf64ea037448cbb1139

Download Submit