a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe
Size

25KB
MD5

f37d47f0e458df737e3c29059a9b13c9
SHA1

d736644621ec8cd8f74cad3f92a8a1c12d43ce25
SHA256

a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18
SHA512

642968c5d4cb515e61ddce0e8913a2f59df5d950273bdb1100cc6e45427d00a9594efd85a6e1224ea91095f327fdc793f8380b6f19429b3b6bd441356db723d2
SSDEEP

384:O/HTfut04H5wakydVf/4xQ8uFvTtk4Fe3baIYdh7hEvK76nZS:O/zcJ5Pf/r8urkp3bxHv+64

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
2352	a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2068	2352	a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe	28
PID 2352 wrote to memory of 2068	2352	a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe	28
PID 2352 wrote to memory of 2068	2352	a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe	28
PID 2352 wrote to memory of 2068	2352	a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe	28

C:\Users\Admin\AppData\Local\Temp\a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe
"C:\Users\Admin\AppData\Local\Temp\a939db680c17235feba8c126578676716ec1f71bcda4ad04e7e76a4673335b18.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
25KB

MD5
0d13522e0c1aee17c3e134db418aecac

SHA1
f00b5ecec06bfee7a71e9a75eae85f4f48292b7c

SHA256
1579c95e4c0a1cd092046e787e269283b2992332902b2f23c92745208c12a5d6

SHA512
8c63cacff229afa90c5b66c0d15f2c3caa0888347b5df9404b1211b2b838f6bf6a808672a5adb641482308a2657b58d138e7fef7166d0c9870f4c6ea3c533aef

Download Submit
memory/2068-10-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/2068-12-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2068-13-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/2068-14-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/2068-15-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/2352-0-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/2352-2-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2352-3-0x0000000001C40000-0x0000000001C47000-memory.dmp

Filesize
28KB

Download
memory/2352-9-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download