984dfbe32dc17d8205888e96740f5263556620dd0ace909c825fea4a24626b2c

Analysis

max time kernel
161s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18b8c42ac045a04564fc0e889872a2e7.exe
Size

12KB
MD5

18b8c42ac045a04564fc0e889872a2e7
SHA1

27a0209152529cef5bafb78abac5f2f0303f60b8
SHA256

984dfbe32dc17d8205888e96740f5263556620dd0ace909c825fea4a24626b2c
SHA512

227d1f95241117880da23d625c4d29cf21293d40fc26ffa274e3fc23aeb717d225ef27097f3c28c255e64d4d9770fccf38ad1ee0fea6316beed490844a14948f
SSDEEP

192:K5FzRJ0y4SCUSkgb+yaZOvKgigbShwpGcN91y3bnsBJgsJWj/eJgbq8:K30y4exy4P9w4cPPoQQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	18b8c42ac045a04564fc0e889872a2e7.exe

Executes dropped EXE 1 IoCs

pid	Process
1152	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1152	4964	18b8c42ac045a04564fc0e889872a2e7.exe	94
PID 4964 wrote to memory of 1152	4964	18b8c42ac045a04564fc0e889872a2e7.exe	94
PID 4964 wrote to memory of 1152	4964	18b8c42ac045a04564fc0e889872a2e7.exe	94

C:\Users\Admin\AppData\Local\Temp\18b8c42ac045a04564fc0e889872a2e7.exe
"C:\Users\Admin\AppData\Local\Temp\18b8c42ac045a04564fc0e889872a2e7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
12KB

MD5
b77151ddc25adfa3afa48335e8720b79

SHA1
30af907858d2f2fc1340b889b974232c53e8575e

SHA256
95a8dd90aa9056fdda0de9b45542f987d557d977409a94c0787d6ac85ffc9c12

SHA512
da640eed421e3f2a2161fd1de3e356305af13d0b77b9a7be8a5340434360d9268f46f7b54f1e85e4b0768e866c0a3d5553f3cf137b5b66a34ef919901c760a7b

Download Submit