af484bce14eb6d1997777e8cd0c66d07952bc6bef72e8109288744216152d6fb

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a048eb09d106930fcf6a3b8985a2120N.exe
Size

20KB
MD5

9a048eb09d106930fcf6a3b8985a2120
SHA1

af6c617f8b58cae567a5fb2ec28f66833e07b679
SHA256

af484bce14eb6d1997777e8cd0c66d07952bc6bef72e8109288744216152d6fb
SHA512

89976400e224043d2ad0f086bfbeef11daf554fec45c21d7223d834241502a0a0873ccd312b7214c1ed308ff3579a69051d56ca4b5139bca5c8cac5dd1a8008b
SSDEEP

192:hgaUZMFTnnjyqVLzu+NQb27lprOLgHo0wNZ2OU8MfiTfEvkY6+uNpGDedk/bAr9O:hguzjE+NQiviL//U8MfiTfEvkNNdkP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	9a048eb09d106930fcf6a3b8985a2120N.exe

Executes dropped EXE 1 IoCs

pid	Process
3704	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3704	2356	9a048eb09d106930fcf6a3b8985a2120N.exe	84
PID 2356 wrote to memory of 3704	2356	9a048eb09d106930fcf6a3b8985a2120N.exe	84
PID 2356 wrote to memory of 3704	2356	9a048eb09d106930fcf6a3b8985a2120N.exe	84

C:\Users\Admin\AppData\Local\Temp\9a048eb09d106930fcf6a3b8985a2120N.exe
"C:\Users\Admin\AppData\Local\Temp\9a048eb09d106930fcf6a3b8985a2120N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
20KB

MD5
17a83a269890c460f6e688da77a72b3c

SHA1
4b592bb1a3cbd1af6f0a6b9ebd0ecc704562a30d

SHA256
8ebcf5834b987fdff94a7559298455e29c84e8d59dfed95f45d69ba269589d40

SHA512
f790ce39d2637f65e0a6783fbc168cff70105ca42229f40bfefaf20f4d608ec768b67372288bd5348b8729aa8d2be7f068af63f93ee937e87f1fb0c05a4d61e9

Download Submit
memory/2356-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2356-1-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2356-3-0x0000000000960000-0x0000000000967000-memory.dmp

Filesize
28KB

Download
memory/2356-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3704-13-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3704-15-0x0000000002050000-0x0000000002057000-memory.dmp

Filesize
28KB

Download
memory/3704-14-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/3704-16-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3704-17-0x0000000002050000-0x0000000002057000-memory.dmp

Filesize
28KB

Download