6c73f9f7bb9cc9c742d3a88bbcf418532e5acde87dd619b57ccd25ce18e49a85

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8568fbd80379558bc8cff0f2e2c6620N.exe
Size

6KB
MD5

b8568fbd80379558bc8cff0f2e2c6620
SHA1

feb909d8281b07622ecae4e75f80d9060460b545
SHA256

6c73f9f7bb9cc9c742d3a88bbcf418532e5acde87dd619b57ccd25ce18e49a85
SHA512

fd4f50c9154ebb9ac8f4cb038f1024ef3297bd38a98060172ce895e819c0725fd1577d469ab80337e41ffd3da5aea4999ae035edac148add00b911f561125253
SSDEEP

48:6smM8h4UQTnnOZlNYaj0vHZWNb8/uR5FyG1laAXJtyBSUUCS7Ng+l7gEuOj:iGOLN/jcgN4/Eo2ty4UUC0lkS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2272	budha.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	b8568fbd80379558bc8cff0f2e2c6620N.exe
1820	b8568fbd80379558bc8cff0f2e2c6620N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8568fbd80379558bc8cff0f2e2c6620N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2272	1820	b8568fbd80379558bc8cff0f2e2c6620N.exe	28
PID 1820 wrote to memory of 2272	1820	b8568fbd80379558bc8cff0f2e2c6620N.exe	28
PID 1820 wrote to memory of 2272	1820	b8568fbd80379558bc8cff0f2e2c6620N.exe	28
PID 1820 wrote to memory of 2272	1820	b8568fbd80379558bc8cff0f2e2c6620N.exe	28

C:\Users\Admin\AppData\Local\Temp\b8568fbd80379558bc8cff0f2e2c6620N.exe
"C:\Users\Admin\AppData\Local\Temp\b8568fbd80379558bc8cff0f2e2c6620N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
6KB

MD5
c48d4226e588a81a6bbc72ec8afff094

SHA1
e858da2282692f851c11fd8631798899101f2358

SHA256
42f1f2a04fbcbd8241b79f244b424f5e90392981c3922bcb9abf78f941dd51fa

SHA512
49fe301c60921cfabf64f937e1e0652ef23c18611be1b0ab520a03a9874236510af438e5a221700c2cbb5ab1863d85210518e231bc9c313a7b1e554e470249a1

Download Submit