058e3cd41974de09985c8745af707f90f968f814bba7cfda99fb5614697170db

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 08:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9231b79344b3961e707e5e4ce341a520N.exe
Size

31KB
MD5

9231b79344b3961e707e5e4ce341a520
SHA1

ea852ed52dd4fa210774179f34b807f7ba83bc47
SHA256

058e3cd41974de09985c8745af707f90f968f814bba7cfda99fb5614697170db
SHA512

6705bc3b5d9de10aa33768850760555fc458131af0f95b004f8f28a6c5d222ac6a29d47baf1f23e08e89581e732d347e99fcda3497b37b949e801a5f035005da
SSDEEP

384:iXET14X4f0y4liVlhox+a8lvDIU+mMaV0tOLOHa:HT1g40QlgglvDIUPV04O6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	budha.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	9231b79344b3961e707e5e4ce341a520N.exe
2684	9231b79344b3961e707e5e4ce341a520N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9231b79344b3961e707e5e4ce341a520N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2796	2684	9231b79344b3961e707e5e4ce341a520N.exe	30
PID 2684 wrote to memory of 2796	2684	9231b79344b3961e707e5e4ce341a520N.exe	30
PID 2684 wrote to memory of 2796	2684	9231b79344b3961e707e5e4ce341a520N.exe	30
PID 2684 wrote to memory of 2796	2684	9231b79344b3961e707e5e4ce341a520N.exe	30

C:\Users\Admin\AppData\Local\Temp\9231b79344b3961e707e5e4ce341a520N.exe
"C:\Users\Admin\AppData\Local\Temp\9231b79344b3961e707e5e4ce341a520N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
31KB

MD5
4c9442e87225435d18b1eb9613f3c965

SHA1
fc3d5c40863bf2367d9b5b1f637cf4479e6dc045

SHA256
d349c97b592b07fc8ad2cfd5cacc049934cd7c83d987f02ca499341b67d2cdf0

SHA512
c7e51338152eda9933327ff752274486e33a298d27b364b160ceb070a8bac746f58a6c6e057b4aa7e19a16feb9f76f18c9b244816dd0b3f0a370a0c561b69aaf

Download Submit