50642f32577e1414a690515e22c09496e1b24d2f2ffe74390df73e8d1dbca851

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1005679e66997f6a9de0dc8518603d86.exe
Size

43KB
MD5

1005679e66997f6a9de0dc8518603d86
SHA1

27a607e5caf29e5c363bbd449dfb6e038e570bca
SHA256

50642f32577e1414a690515e22c09496e1b24d2f2ffe74390df73e8d1dbca851
SHA512

49f24126f0e76fcf6e5d4bdd38977045b22e52dbe0e663696eaff5955f5035cdb4dc16adad7f170df979fe81ede03f6d4a22cd6e61eb110968b16b45cd7820dc
SSDEEP

768:/whRkKCCR3IAm9MOlq8bdA/bmerdkDwRGXn/+mmCfyrr7/YGp:s5Hm9dl4/tuDz/+mjfuPp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	1005679e66997f6a9de0dc8518603d86.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 2140	3120	1005679e66997f6a9de0dc8518603d86.exe	87
PID 3120 wrote to memory of 2140	3120	1005679e66997f6a9de0dc8518603d86.exe	87
PID 3120 wrote to memory of 2140	3120	1005679e66997f6a9de0dc8518603d86.exe	87

C:\Users\Admin\AppData\Local\Temp\1005679e66997f6a9de0dc8518603d86.exe
"C:\Users\Admin\AppData\Local\Temp\1005679e66997f6a9de0dc8518603d86.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
43KB

MD5
d6a71ce4f072e4ae0d55045fe08f757d

SHA1
a1c1a230bae7242317074ad111865f2ae227c50c

SHA256
17298a7df7e7d5da999ddf11c0f29ef155853bd2ef6b5ef9a543a92ad5a6fa50

SHA512
6d84eaf4c8f989894e2aebaabf0b570636c094c19b0e4c2eedf44c9d1ffcce1432308534cbfdac5232cb85833b5dd1888a8a5c77e62779f4a529e2612e8141ec

Download Submit