2048ae69df8323b80388b7719d1d9fea06dd6abf7b5a5fbb0ad7acc793ac8552

Analysis

max time kernel
123s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8494e654d4c354e274509cdf9a508da0.exe
Size

25KB
MD5

8494e654d4c354e274509cdf9a508da0
SHA1

f0d50fe2da6abc6580aab2464c5fd06a7e98a5b9
SHA256

2048ae69df8323b80388b7719d1d9fea06dd6abf7b5a5fbb0ad7acc793ac8552
SHA512

d34112d43c5129ac9200087cf3a24a03a23b051d2ba603c770b6e10034de13800af165a50091dab4e6585ac9cf30a729b165ecd2370ab914579fd48a583571db
SSDEEP

384:QatQWRIgymNeuQDC2/1BfXC3IALA5skMOlm7eVbdmGa/ZiGmMD299:QihRuKCCR3IAm9MOlq8bdA/bmMW9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	8494e654d4c354e274509cdf9a508da0.exe

Executes dropped EXE 1 IoCs

pid	Process
624	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 624	1864	8494e654d4c354e274509cdf9a508da0.exe	87
PID 1864 wrote to memory of 624	1864	8494e654d4c354e274509cdf9a508da0.exe	87
PID 1864 wrote to memory of 624	1864	8494e654d4c354e274509cdf9a508da0.exe	87

C:\Users\Admin\AppData\Local\Temp\8494e654d4c354e274509cdf9a508da0.exe
"C:\Users\Admin\AppData\Local\Temp\8494e654d4c354e274509cdf9a508da0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
25KB

MD5
9dbaf802770f4bed5d8575a8f686fe62

SHA1
eacd393d3d9654dc1ff5cb772f0aa4c3c560fd8b

SHA256
dc8020b41e2a6154a5e71ef5ad05beadac6fa2b44ecfdf30f3e2755f703f6c6b

SHA512
b7f4219b0a0ab31754367dbdeaef46df5d06a792fe3b4c08f51a310795772349f2bf87857cbc27ef3df7db8113f8ed00035f9de1b675507751c5cf4dd9eec95f

Download Submit
memory/1864-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1864-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download