4235e8f9811f219eca36bbfd01be2bf6d16e1e51d9ddec8dfdcc970a5a8b2c17

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab4bf63317dc6783e479da430b4b09a1.exe
Size

8KB
MD5

ab4bf63317dc6783e479da430b4b09a1
SHA1

4ca41fcd6d0130c6955ca448476dce6d975cafcc
SHA256

4235e8f9811f219eca36bbfd01be2bf6d16e1e51d9ddec8dfdcc970a5a8b2c17
SHA512

b70dbd080bd85aeeca030a839e0d7f6488cf59d40dd464c3bb958e4a627516cbb809a1f7023307f009ed5e88c16b4a2efad426c7e01e0dcd22282ad45fab1929
SSDEEP

96:fNJEEvtcUF7xAnQWRIUZ2CmKv5PF2wGkGzCHl6iCLkaqWaACikWka7KNKgnkWkX:XEYWQWRIgSU5PenzCHlXGYWaAFgE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ab4bf63317dc6783e479da430b4b09a1.exe

Executes dropped EXE 1 IoCs

pid	Process
8	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 8	320	ab4bf63317dc6783e479da430b4b09a1.exe	89
PID 320 wrote to memory of 8	320	ab4bf63317dc6783e479da430b4b09a1.exe	89
PID 320 wrote to memory of 8	320	ab4bf63317dc6783e479da430b4b09a1.exe	89

C:\Users\Admin\AppData\Local\Temp\ab4bf63317dc6783e479da430b4b09a1.exe
"C:\Users\Admin\AppData\Local\Temp\ab4bf63317dc6783e479da430b4b09a1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
8KB

MD5
ebb7d004d486bcc79fd4c721dc6283dd

SHA1
5ba9d47c0a7279a82091df81892fbd817350a865

SHA256
d0f220cbea95e3d82cbac1ee7bbe696f803738e3a84c720ebc179da2b66cdc61

SHA512
51fc180fc4e28707589f113461e19b035de94bb318c1b96d6c20d69dba8dcb43508271973e26027a5ae5cf767a3d9c93677aa3f644a62fbfa0c11cda7607f210

Download Submit