c9d9cc915602fcf5540710df9b2a6fd121c3fe9f7e1bb1844408a521064121d1

General

Target

NEAS.e8681c98634ee71cd6c416ad31192830.exe
Size

32KB
MD5

e8681c98634ee71cd6c416ad31192830
SHA1

4813a38150e799b126730458e55c8f3e9cc5ae8c
SHA256

c9d9cc915602fcf5540710df9b2a6fd121c3fe9f7e1bb1844408a521064121d1
SHA512

6a10b0524d59b47604299779db9777b01d6f5ab743d02d46918ba842f4a6951a23de7602ac9e33b46a30359e682b67e55b052a65eee76a28c237004b6faee828
SSDEEP

384:fY/7iMmQgVC+02JWuCSPmSQTebw/UqFPpF5bGwpRm7mLZe4NRU:y12JTPRQTeZq1bLcWRU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	NEAS.e8681c98634ee71cd6c416ad31192830.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	budha.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	budha.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4656	3368	NEAS.e8681c98634ee71cd6c416ad31192830.exe	87
PID 3368 wrote to memory of 4656	3368	NEAS.e8681c98634ee71cd6c416ad31192830.exe	87
PID 3368 wrote to memory of 4656	3368	NEAS.e8681c98634ee71cd6c416ad31192830.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.e8681c98634ee71cd6c416ad31192830.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e8681c98634ee71cd6c416ad31192830.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DB136E2C60F3CA7EF9C7EAE4269A6A67

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DB136E2C60F3CA7EF9C7EAE4269A6A67

Filesize
414B

MD5
84155a6ee9e831abe083400a084f92fc

SHA1
1088e4f26b189f3ad76bb89154d66ba3af35952e

SHA256
cf446c8d3b4edeae614125e3cd200fc6187239e1864253e9346f976f370c4e7c

SHA512
3ede8e3a1b25f68165b42c43762bc6e7944ba55ebbd5255bf8e07ce311861b58b31b1ff19ec2d15c4be11258c86917104c686e39c084fc357a6b7e70867237de

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
32KB

MD5
55a909333705ff734b3aa991aa764021

SHA1
19afb424caafb884bd783c812a6d9a4aba49e959

SHA256
c299b36e445f848ca392414cfe4945f43ab2fcbce591c320fa82f7ed08c9beac

SHA512
d3a082d2c6570f9066083f4a7b44186619b2b3cfd823a9f9306386efea9f959ff54aafaa12fbc24897be4c16aaabb82cd9a6120979e888658c180af1c8bf1896

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
32KB

MD5
55a909333705ff734b3aa991aa764021

SHA1
19afb424caafb884bd783c812a6d9a4aba49e959

SHA256
c299b36e445f848ca392414cfe4945f43ab2fcbce591c320fa82f7ed08c9beac

SHA512
d3a082d2c6570f9066083f4a7b44186619b2b3cfd823a9f9306386efea9f959ff54aafaa12fbc24897be4c16aaabb82cd9a6120979e888658c180af1c8bf1896

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
32KB

MD5
55a909333705ff734b3aa991aa764021

SHA1
19afb424caafb884bd783c812a6d9a4aba49e959

SHA256
c299b36e445f848ca392414cfe4945f43ab2fcbce591c320fa82f7ed08c9beac

SHA512
d3a082d2c6570f9066083f4a7b44186619b2b3cfd823a9f9306386efea9f959ff54aafaa12fbc24897be4c16aaabb82cd9a6120979e888658c180af1c8bf1896

Download Submit
memory/3368-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3368-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3368-3-0x0000000002730000-0x0000000002B30000-memory.dmp

Filesize
4.0MB

Download
memory/3368-1-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/4656-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4656-13-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4656-14-0x0000000002560000-0x0000000002960000-memory.dmp

Filesize
4.0MB

Download
memory/4656-48-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing