4f250ee1c0f5f6611b2bd4598aa00c9061b8437467972c0211a0c0a88f7bb398

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.77dda3d5295da927a602d76d024706f0.exe
Size

117KB
MD5

77dda3d5295da927a602d76d024706f0
SHA1

36007b31de2aaf986a1cc9bbbe8ad94a4ce6e5fb
SHA256

4f250ee1c0f5f6611b2bd4598aa00c9061b8437467972c0211a0c0a88f7bb398
SHA512

925a08f54461cd3bdb99a48853fce20dfec82affc4683f8b56132c33fbdedf312862e42f962c90ffc5a909a06c5de358ad53a2df3ab7cde4cbf742fa96caa534
SSDEEP

384:cZ6ztbnwR2h5+IK67anERYhqt1MFILH/APPY5ItTm4J2Pcj2+8fcxbBcYTB:cZ6JDwRZfhXILHIPPY5mm4J2Pw2DfO3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.77dda3d5295da927a602d76d024706f0.exe

Executes dropped EXE 1 IoCs

pid	Process
3928	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3928	2680	NEAS.77dda3d5295da927a602d76d024706f0.exe	87
PID 2680 wrote to memory of 3928	2680	NEAS.77dda3d5295da927a602d76d024706f0.exe	87
PID 2680 wrote to memory of 3928	2680	NEAS.77dda3d5295da927a602d76d024706f0.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.77dda3d5295da927a602d76d024706f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.77dda3d5295da927a602d76d024706f0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
117KB

MD5
637bdee5410ad9e931864d3ce32fcd17

SHA1
80cf24bbf0dc7e4f504718099d0c2e557cbc2d1c

SHA256
602ae6a0994e239b7cf74b237a668971e8a5b4c77b44aabe0fa5104704f9573a

SHA512
5ae150ac6d5b601f044c09af7ef778c8dd7abb5e46254fc2903c0ae7dae7c026b0467d32db5b051c8953b533fb0c46830265264701eea062db7b908d86c496cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
117KB

MD5
637bdee5410ad9e931864d3ce32fcd17

SHA1
80cf24bbf0dc7e4f504718099d0c2e557cbc2d1c

SHA256
602ae6a0994e239b7cf74b237a668971e8a5b4c77b44aabe0fa5104704f9573a

SHA512
5ae150ac6d5b601f044c09af7ef778c8dd7abb5e46254fc2903c0ae7dae7c026b0467d32db5b051c8953b533fb0c46830265264701eea062db7b908d86c496cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
117KB

MD5
637bdee5410ad9e931864d3ce32fcd17

SHA1
80cf24bbf0dc7e4f504718099d0c2e557cbc2d1c

SHA256
602ae6a0994e239b7cf74b237a668971e8a5b4c77b44aabe0fa5104704f9573a

SHA512
5ae150ac6d5b601f044c09af7ef778c8dd7abb5e46254fc2903c0ae7dae7c026b0467d32db5b051c8953b533fb0c46830265264701eea062db7b908d86c496cc

Download Submit