9c7b34e98563e22b5fcb22c795dd989e80aa1bf12f99bd9b286417ecb8056d20

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0025d42a69843618c12051d3fb9b6cc0N.exe
Size

34KB
MD5

0025d42a69843618c12051d3fb9b6cc0
SHA1

e5a809f7b401dc5ac313179208151a284281ad61
SHA256

9c7b34e98563e22b5fcb22c795dd989e80aa1bf12f99bd9b286417ecb8056d20
SHA512

1f033bfa28a6c2b8210ad24c8a3becfebbc5261346a0199afeb24d4795ec2acbe9bb2027a3734b5c41753511d775b89180c8d8fdafff6c40b4c3868926a5daa0
SSDEEP

384:iTjB4f0y4lSqCHHffYZ5SKNOI5pbzCZYCKdKj+RYS9ON2tSUCu8FoE692yyRbTYJ:Q406H/0PbzCdj+Rh9OotSbxFTGtwfYWc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	0025d42a69843618c12051d3fb9b6cc0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3676	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0025d42a69843618c12051d3fb9b6cc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3676	3316	0025d42a69843618c12051d3fb9b6cc0N.exe	83
PID 3316 wrote to memory of 3676	3316	0025d42a69843618c12051d3fb9b6cc0N.exe	83
PID 3316 wrote to memory of 3676	3316	0025d42a69843618c12051d3fb9b6cc0N.exe	83

C:\Users\Admin\AppData\Local\Temp\0025d42a69843618c12051d3fb9b6cc0N.exe
"C:\Users\Admin\AppData\Local\Temp\0025d42a69843618c12051d3fb9b6cc0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
34KB

MD5
dba4fe102735b844f43f6644561814db

SHA1
691db32e5586dc90d72c8090f2ee01fc573dc553

SHA256
aba832a58fc50e8453845087f866d51a3661eb7280aa77fea6c45dc9d45c7be1

SHA512
46566a9c891a78fde6852e610c7b39ecc4f6404d439347ef1c46b4a5d93f7cbc77cc03318435026cedb7fb7af90b0efb51e54e917fd1c4a80eae68e2464afb64

Download Submit