290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb.exe
Size

23KB
MD5

2bbd6ca5c0f3618188bc311db9348775
SHA1

421ea74fdb810235a4135f72f9386216486a813b
SHA256

290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb
SHA512

e2164b9bf79e7d5e7eb7d47e84dad5ae984a91f6bb3e3dfaf6ce5b646d6c7e8de149b69d58a53d27c53c351e215fc93eef63c0b86c54ed1ae2560efc3d4fa7db
SSDEEP

384:WOw2RGQfMSF+Exwp/eCSPJSQTebw/lpdQbSQ/RUfCiSJHX/6nT:WOZRGQftFaGPMQTep2/ChPAT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb.exe

Executes dropped EXE 1 IoCs

pid	Process
884	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 884	4188	290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb.exe	83
PID 4188 wrote to memory of 884	4188	290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb.exe	83
PID 4188 wrote to memory of 884	4188	290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb.exe	83

C:\Users\Admin\AppData\Local\Temp\290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb.exe
"C:\Users\Admin\AppData\Local\Temp\290aa0012a700a049e72cd5bf3f89819637fcae59d4b1273c0da05e5511c74bb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
23KB

MD5
128e87d9b7b9f578f6631ac7e32f96a0

SHA1
f00e74141e27f7f45fddb822774a7013a552f5cd

SHA256
a2461fdb5fb4eea136890de434260e07beedcce212db5a9a7dcf980c214fb7b2

SHA512
da0d39aad6808f10c34db7ccf93f83e009045a644c840ad1d6161a1ffc8d0dd36757b9d595582a0789b6755e75a1da1bab8241a329756e0f25faaffb9cb43dda

Download Submit
memory/884-13-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/884-14-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/884-15-0x00000000025D0000-0x00000000029D0000-memory.dmp

Filesize
4.0MB

Download
memory/884-25-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4188-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4188-3-0x00000000025E0000-0x00000000029E0000-memory.dmp

Filesize
4.0MB

Download
memory/4188-2-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4188-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download