571ddee9f9f8c1e7cfdea01641fdcc0fc13e1f0c47fd5dff6a624cffe65dc4cc

Analysis

max time kernel
160s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c96c5d530a139ef90b4df57143a74945.exe
Size

41KB
MD5

c96c5d530a139ef90b4df57143a74945
SHA1

bcf94b5eee2365aa1f7523d78743d36f89ffb729
SHA256

571ddee9f9f8c1e7cfdea01641fdcc0fc13e1f0c47fd5dff6a624cffe65dc4cc
SHA512

757c1a6125752c8fce9b0a6ec5720e9ff10ceb1d9c0f9c058517ca8c6fff08257b26520fa70f5849343a689a783b67a0dc5944081a26ebadccf4525a6eeda8af
SSDEEP

768:/whRkKCCR3IAm9MOlq8bdA/bmerdkDwRGXn/+mmCfyrr7/YWb:s5Hm9dl4/tuDz/+mjfut

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	c96c5d530a139ef90b4df57143a74945.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 4464	1636	c96c5d530a139ef90b4df57143a74945.exe	91
PID 1636 wrote to memory of 4464	1636	c96c5d530a139ef90b4df57143a74945.exe	91
PID 1636 wrote to memory of 4464	1636	c96c5d530a139ef90b4df57143a74945.exe	91

C:\Users\Admin\AppData\Local\Temp\c96c5d530a139ef90b4df57143a74945.exe
"C:\Users\Admin\AppData\Local\Temp\c96c5d530a139ef90b4df57143a74945.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
41KB

MD5
b2c5f1fae40e8c4624b3f47325c49b06

SHA1
4806cbb727c5a30d8b5a5d2f448739a72e766d2d

SHA256
d82f0ea8fdad07c530387516770c8f05f7c9e648db22981114df7a00a47fcd6e

SHA512
570b7d9bfb33e501491f2131cc42681ea5a8ddfc0148d3e1622ffc530b7080762b056d3857ff4a79480ee5e01a9e20779f05474cddbeaaa24e1427cac0a2ffa3

Download Submit