a97af6536e4fae17dc0cf674094362248788ae3fb2d5cd0fa828f5504908ab4c

Analysis

max time kernel
35s
max time network
36s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 05:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

537c732d0ed1afc471e1b3327c8a58e0N.exe
Size

15KB
MD5

537c732d0ed1afc471e1b3327c8a58e0
SHA1

7221d16e7c2c3238ebe488288a70cd2b9250d1a3
SHA256

a97af6536e4fae17dc0cf674094362248788ae3fb2d5cd0fa828f5504908ab4c
SHA512

0c3053b3a31bababcdcda3371a39ea38687f6ab543647b18c71f0a4c791f48dd00739fdda3d71ca46d2eff4ec976e183a25c93b8637d3c42c41234de5d9d6cc7
SSDEEP

384:lojrEQCk7ps4A3Ux2iK7Mj2I4mXYp+AvEoJpK7:KjkGiMj2INhAvbm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
2608	537c732d0ed1afc471e1b3327c8a58e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	537c732d0ed1afc471e1b3327c8a58e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2472	2608	537c732d0ed1afc471e1b3327c8a58e0N.exe	31
PID 2608 wrote to memory of 2472	2608	537c732d0ed1afc471e1b3327c8a58e0N.exe	31
PID 2608 wrote to memory of 2472	2608	537c732d0ed1afc471e1b3327c8a58e0N.exe	31
PID 2608 wrote to memory of 2472	2608	537c732d0ed1afc471e1b3327c8a58e0N.exe	31

C:\Users\Admin\AppData\Local\Temp\537c732d0ed1afc471e1b3327c8a58e0N.exe
"C:\Users\Admin\AppData\Local\Temp\537c732d0ed1afc471e1b3327c8a58e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
16KB

MD5
0a8f1a15ee2f723d9a98cf5c18a6de02

SHA1
0bcb4ce8ceecc954e89c922cb98ce974ffa19098

SHA256
059a9950060766918dd60835147cef7799df375971a17908f09104604d027604

SHA512
df7b49c1dcef9085243a39a6322e569d95e1fe1e5bcc9f2f59af9ee021c5f896f4223463c4bdc261e17fc2f26837fad733edd52a74f12d8104ff73ea71fe12b9

Download Submit
memory/2472-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2472-15-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/2472-14-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2472-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2472-32-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/2608-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2608-3-0x0000000000530000-0x0000000000537000-memory.dmp

Filesize
28KB

Download
memory/2608-2-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2608-7-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

Filesize
36KB

Download
memory/2608-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download