c96999ac877c72608698843f2515428fffc864e98d4e476fe2933b0bee973e3f

Analysis

max time kernel
110s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd27980627b12d8745506ef18e7297e0N.exe
Size

24KB
MD5

dd27980627b12d8745506ef18e7297e0
SHA1

9c941089a3ba091d0f955d89efd5f1bb44b1c50a
SHA256

c96999ac877c72608698843f2515428fffc864e98d4e476fe2933b0bee973e3f
SHA512

65a4051ad5c7b05472d1c8cafa41c5dc28025ee6ad7c5cce604200b1ce04466afe9411b5362843a503a6180299eac62899946a8b6314e302a1d005a9c2221ac8
SSDEEP

384:OyLHsL4m3fKSelxP1jSmD2KPyNj7kVSkV9UmAf8a:OyYLLPKtRDVVVVamA1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	dd27980627b12d8745506ef18e7297e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd27980627b12d8745506ef18e7297e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2736	1964	dd27980627b12d8745506ef18e7297e0N.exe	30
PID 1964 wrote to memory of 2736	1964	dd27980627b12d8745506ef18e7297e0N.exe	30
PID 1964 wrote to memory of 2736	1964	dd27980627b12d8745506ef18e7297e0N.exe	30
PID 1964 wrote to memory of 2736	1964	dd27980627b12d8745506ef18e7297e0N.exe	30

C:\Users\Admin\AppData\Local\Temp\dd27980627b12d8745506ef18e7297e0N.exe
"C:\Users\Admin\AppData\Local\Temp\dd27980627b12d8745506ef18e7297e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
25KB

MD5
42e23b6a4d7c93ba8fdad4a5a6720017

SHA1
c6675e93e39b588d0f812052480bc33f3727218a

SHA256
2f02fe4ec4ee20cd7548e7f559cd430a08ebaf62d37f1f99c52f25409b421264

SHA512
2c629148f7ba1ce7fe10eef0517983fca8299a5c454ba3e2f4ee53ed6d8ccf7a6bc4c1fe428590ea7e260113e6977d3aa7d7ff69ec4ebbe051ee47ed1e6f9b3a

Download Submit
memory/1964-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1964-1-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1964-3-0x0000000002C50000-0x0000000003050000-memory.dmp

Filesize
4.0MB

Download
memory/1964-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2736-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2736-14-0x0000000002AD0000-0x0000000002ED0000-memory.dmp

Filesize
4.0MB

Download
memory/2736-13-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2736-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download