7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d

Analysis

max time kernel
136s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d.exe
Size

17KB
MD5

4ea5e819c37598d86c5be9a35f6300c9
SHA1

94e5050630feaf1832ca0407c41272967b610fb6
SHA256

7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d
SHA512

5188eaebbab1c51b3bdd5269bb3127980bf7870231353b0a0e79f8375e9b432278a17631e892e849b648325e62adeed61d371862b2946bb0ced8af32715cf8b6
SSDEEP

384:xiOQWRIga02iBunne0vq0/Cz9W5q5a8t+j:xVhRm0z+rC8Yt+j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d.exe

Executes dropped EXE 1 IoCs

pid	Process
704	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 704	956	7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d.exe	85
PID 956 wrote to memory of 704	956	7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d.exe	85
PID 956 wrote to memory of 704	956	7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d.exe	85

C:\Users\Admin\AppData\Local\Temp\7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d.exe
"C:\Users\Admin\AppData\Local\Temp\7ea0a3f65a1140ab00b48072d62c75d5bd1712d71ff1af58c58677383907c25d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
17KB

MD5
16a4adae13aff62891e8fbd167ce8b24

SHA1
086d08e7684969b830275998ef93c4cdb97ecd77

SHA256
8899b4bb843b073b1fb8096bf018f021b6f141efd0b889340a9094b0b6d88501

SHA512
672676f3fb7fa1661e2d42c913481f81ebb454e69f774521f17c9a22ec17ea44cbd4dc829bce0edba0179bcd9800d856406a0e57193600d8a5f762df76f4c6b6

Download Submit
memory/956-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/956-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download