Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2023, 21:59
Static task
static1
Behavioral task
behavioral1
Sample
af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe
Resource
win10v2004-20231215-en
General
-
Target
af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe
-
Size
48KB
-
MD5
af2f6b13e1c4ea222fd3f0f4e9a5c4ea
-
SHA1
0bdb539eacee0048f13b922102c34bbe25cb29f1
-
SHA256
2d1536733766b68342fecfe2ab144c1c05f69fd1190fb7f517a2ad9acc58ee39
-
SHA512
e11080c149c73577f484222a09e1f298ea95710c48cc05deb19cb9c33d46cd8b767ac2f066429fbab3547b8ecea13cd54155636c281ea9410bd3a97ee3a5a4c8
-
SSDEEP
768:HT1g40wSXvdMx+v3fUFqFRFo6kF7xNvCMUM33ScGyTjUOXNXkchJ8:Hxg2SfdMw3KeE52ayEjNDJ8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe -
Executes dropped EXE 1 IoCs
pid Process 4716 budha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4616 wrote to memory of 4716 4616 af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe 88 PID 4616 wrote to memory of 4716 4616 af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe 88 PID 4616 wrote to memory of 4716 4616 af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe"C:\Users\Admin\AppData\Local\Temp\af2f6b13e1c4ea222fd3f0f4e9a5c4ea.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:4716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5e1b9c4f854772cd1c4132c6fa446075c
SHA1dd018680fe39f9a55a835975962df68ba9987281
SHA256f1d766760999ed5c2eb3bb82e7e7475b5574e0b6e6cffce54ab16f05cfa8ae5d
SHA512c067014ab1355cb9ec18e21c3474f316472fce9dedb3e78c9f6d0828b75215b1ec30b74f7d08fdff3719624be076736769a460a5a2caf6760664ae12d9ee117a