25494da3c4fa89573eb07e92d0d7d3c64a8982d6e21ecb95ea0ff1b120e93671

Analysis

max time kernel
146s
max time network
158s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1649ad7a2555d52d11499b2e8e357d40.exe
Size

77KB
MD5

1649ad7a2555d52d11499b2e8e357d40
SHA1

0370fd795790ae2af5416b25ebe8798ac3083f64
SHA256

25494da3c4fa89573eb07e92d0d7d3c64a8982d6e21ecb95ea0ff1b120e93671
SHA512

522e4f7e1df5f6ca46fb62d038165b1bbd37de2f31b64c8d6cb376e27a076aff40576fe673602c7e99bbab017c1b14008a756bfd37256bc8c6df89e00098a0b8
SSDEEP

1536:NB+FC9RntfWeoGiPyCHjKDjfQQQtUetDvF:NB+F8tfPN4yCDKDjfQQQt/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	budha.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	NEAS.1649ad7a2555d52d11499b2e8e357d40.exe
2512	NEAS.1649ad7a2555d52d11499b2e8e357d40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1680	2512	NEAS.1649ad7a2555d52d11499b2e8e357d40.exe	28
PID 2512 wrote to memory of 1680	2512	NEAS.1649ad7a2555d52d11499b2e8e357d40.exe	28
PID 2512 wrote to memory of 1680	2512	NEAS.1649ad7a2555d52d11499b2e8e357d40.exe	28
PID 2512 wrote to memory of 1680	2512	NEAS.1649ad7a2555d52d11499b2e8e357d40.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.1649ad7a2555d52d11499b2e8e357d40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1649ad7a2555d52d11499b2e8e357d40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
77KB

MD5
b8229a2f12f7ba2e4bd218b782f85636

SHA1
f9dc9ee171d6e3ad3840d4fd0845f162594087e9

SHA256
c25ff566c3a7fd86af1c518e5a6e533c4fac319816a9e3c9eef58edc580bf105

SHA512
bf7a80419410a4f8efa357f0990fc4f7918f99bca2da0041473f0fd4e094c47eb5a903df92c36e8cbd189b50dc791c9fec21447d7d30420f15d7c1b8c2c10fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
77KB

MD5
b8229a2f12f7ba2e4bd218b782f85636

SHA1
f9dc9ee171d6e3ad3840d4fd0845f162594087e9

SHA256
c25ff566c3a7fd86af1c518e5a6e533c4fac319816a9e3c9eef58edc580bf105

SHA512
bf7a80419410a4f8efa357f0990fc4f7918f99bca2da0041473f0fd4e094c47eb5a903df92c36e8cbd189b50dc791c9fec21447d7d30420f15d7c1b8c2c10fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
77KB

MD5
b8229a2f12f7ba2e4bd218b782f85636

SHA1
f9dc9ee171d6e3ad3840d4fd0845f162594087e9

SHA256
c25ff566c3a7fd86af1c518e5a6e533c4fac319816a9e3c9eef58edc580bf105

SHA512
bf7a80419410a4f8efa357f0990fc4f7918f99bca2da0041473f0fd4e094c47eb5a903df92c36e8cbd189b50dc791c9fec21447d7d30420f15d7c1b8c2c10fb3

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
77KB

MD5
b8229a2f12f7ba2e4bd218b782f85636

SHA1
f9dc9ee171d6e3ad3840d4fd0845f162594087e9

SHA256
c25ff566c3a7fd86af1c518e5a6e533c4fac319816a9e3c9eef58edc580bf105

SHA512
bf7a80419410a4f8efa357f0990fc4f7918f99bca2da0041473f0fd4e094c47eb5a903df92c36e8cbd189b50dc791c9fec21447d7d30420f15d7c1b8c2c10fb3

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
77KB

MD5
b8229a2f12f7ba2e4bd218b782f85636

SHA1
f9dc9ee171d6e3ad3840d4fd0845f162594087e9

SHA256
c25ff566c3a7fd86af1c518e5a6e533c4fac319816a9e3c9eef58edc580bf105

SHA512
bf7a80419410a4f8efa357f0990fc4f7918f99bca2da0041473f0fd4e094c47eb5a903df92c36e8cbd189b50dc791c9fec21447d7d30420f15d7c1b8c2c10fb3

Download Submit
memory/1680-23-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1680-22-0x0000000002660000-0x0000000002A60000-memory.dmp

Filesize
4.0MB

Download
memory/1680-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1680-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1680-18-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1680-17-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2512-4-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2512-14-0x0000000002C00000-0x0000000002C1C000-memory.dmp

Filesize
112KB

Download
memory/2512-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2512-6-0x0000000002690000-0x0000000002A90000-memory.dmp

Filesize
4.0MB

Download
memory/2512-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2512-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2512-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2512-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download