d0024df3740dc6934b9bd9e61c96109322a3b1739f4ff48a39c152d98f379f5f

General

Target

a2626f5de1f10783ee1888bc83a193c0N.exe
Size

37KB
MD5

a2626f5de1f10783ee1888bc83a193c0
SHA1

7ace9d7dabe77952d0e00815538eba823e6b2871
SHA256

d0024df3740dc6934b9bd9e61c96109322a3b1739f4ff48a39c152d98f379f5f
SHA512

d06c48aae7f4ebeb2665b6dea1c7d02d11512b0bd2cece5bc9527316a566acbdfe31d3db133e1ec4584f221efe767cba4c74b7aba3a02d7a2aae03677f79e63d
SSDEEP

384:sACDQL/TQfYjQXoHyglpIK0KY46QXEVvYpVAiq8sSKpEH0:sXQLGCQYHyYtX8vePU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2520	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
1976	a2626f5de1f10783ee1888bc83a193c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2626f5de1f10783ee1888bc83a193c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	budha.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	budha.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2520	1976	a2626f5de1f10783ee1888bc83a193c0N.exe	30
PID 1976 wrote to memory of 2520	1976	a2626f5de1f10783ee1888bc83a193c0N.exe	30
PID 1976 wrote to memory of 2520	1976	a2626f5de1f10783ee1888bc83a193c0N.exe	30
PID 1976 wrote to memory of 2520	1976	a2626f5de1f10783ee1888bc83a193c0N.exe	30

C:\Users\Admin\AppData\Local\Temp\a2626f5de1f10783ee1888bc83a193c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a2626f5de1f10783ee1888bc83a193c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
37KB

MD5
f8bd9a6d05e0b19d8cf31da88bc44b00

SHA1
3800ca8240977b1efa1021c573724dfdfc65a5f8

SHA256
cdf0405b37f08d91c9e8f758c9b6b89eb7eb3574ae2225efff6e9c57c53cc3c6

SHA512
1bb595bc56a77316ae630d8faa82b6c9604b86f1944c0f50d9b35ebd88a233fcc184b83b45e20c04da521f43933f7c112bd04aaf903d541f6cf5797ca948413f

Download Submit
memory/1976-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-1-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/1976-7-0x00000000033C0000-0x00000000037C0000-memory.dmp

Filesize
4.0MB

Download
memory/1976-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-8-0x0000000003900000-0x000000000390C000-memory.dmp

Filesize
48KB

Download
memory/2520-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-12-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/2520-14-0x00000000034D0000-0x00000000038D0000-memory.dmp

Filesize
4.0MB

Download
memory/2520-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing