Analysis
-
max time kernel
127s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 10:44
Static task
static1
Behavioral task
behavioral1
Sample
0b9d6d771b4d6dddf1e5ed10bdd03fab.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0b9d6d771b4d6dddf1e5ed10bdd03fab.exe
Resource
win10v2004-20231215-en
General
-
Target
0b9d6d771b4d6dddf1e5ed10bdd03fab.exe
-
Size
26KB
-
MD5
0b9d6d771b4d6dddf1e5ed10bdd03fab
-
SHA1
d081602477377e3c9f43d9efcb534f9a0fa31cf2
-
SHA256
13ca50d5011afbf7c838a355fe256ecea9931d0b3ddf5672997815c5afb40eb9
-
SHA512
9e18577c8f4891052d75b8171ac932e69b3c43911b1e4047c62bc0913e7944a700267f0a204e074d750f9651181a4e279209ad734fcdd0a9ab6c6ab220b92e51
-
SSDEEP
384:hguzjE+NQiviL//U8MfiTfEvkNvft2N+PGUeP:hlNvW//prfTFlPGn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 0b9d6d771b4d6dddf1e5ed10bdd03fab.exe -
Executes dropped EXE 1 IoCs
pid Process 392 budha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 576 wrote to memory of 392 576 0b9d6d771b4d6dddf1e5ed10bdd03fab.exe 94 PID 576 wrote to memory of 392 576 0b9d6d771b4d6dddf1e5ed10bdd03fab.exe 94 PID 576 wrote to memory of 392 576 0b9d6d771b4d6dddf1e5ed10bdd03fab.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b9d6d771b4d6dddf1e5ed10bdd03fab.exe"C:\Users\Admin\AppData\Local\Temp\0b9d6d771b4d6dddf1e5ed10bdd03fab.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5ce194c5a90a47856b81d5c68d8f72fe4
SHA1f1cb9037e44e4823018c193751dcd3d531e99b9b
SHA25623e3b97488de6df2853a918aa2ad065fec17a5aa174ec0c8abc5edef762c8c9c
SHA51218aa0ba01d5347812af93b7aad0a6cde5553d7ff8e03b98494d3a16d0b86b8e911f3f86142d06cf27fbc27f14fd4dab6a0c3322efe2001f84030f273309be07f