de656ed5e726a15b5f09e2af0cb2399aa8d07038aed1b7cc1569962d367f9dcb

Analysis

max time kernel
110s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

385490a1a181f0a2a9e75334cb5894f0N.exe
Size

24KB
MD5

385490a1a181f0a2a9e75334cb5894f0
SHA1

bc2cd65b65bfffe3b3d015eae092a9010751b355
SHA256

de656ed5e726a15b5f09e2af0cb2399aa8d07038aed1b7cc1569962d367f9dcb
SHA512

3d351af8bcd335454e32b6bf8ddac4dab4f5bbd34f471c322a4d8b16fbffc9c08e5da36945af01d402fefa42f56d3d5482a0b75a3cb165b5f16fab23e3a73b13
SSDEEP

384:OyLHsL4m3fKSelxP1jSmD2KPyNj7kVSkV9UmAfvY:OyYLLPKtRDVVVVamAo

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	385490a1a181f0a2a9e75334cb5894f0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	385490a1a181f0a2a9e75334cb5894f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2844	2516	385490a1a181f0a2a9e75334cb5894f0N.exe	85
PID 2516 wrote to memory of 2844	2516	385490a1a181f0a2a9e75334cb5894f0N.exe	85
PID 2516 wrote to memory of 2844	2516	385490a1a181f0a2a9e75334cb5894f0N.exe	85

C:\Users\Admin\AppData\Local\Temp\385490a1a181f0a2a9e75334cb5894f0N.exe
"C:\Users\Admin\AppData\Local\Temp\385490a1a181f0a2a9e75334cb5894f0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
24KB

MD5
033c5b77498d3a37397a9d33fd10b8af

SHA1
3ecb947b3103d785b5ef883e321945d594aad1cb

SHA256
53090a46696a7164df12126fef9f15df1edc4b36d138282b50c04232975765ee

SHA512
3ddf5948826d937ebc3921f10421d4c6c2b913f27af023ddcef02dc99baf9a3146ff97151d8254900e289f70329ea3b85207bc8c45cfc6b4148c06d150423971

Download Submit
memory/2516-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2516-1-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2516-3-0x00000000026F0000-0x0000000002AF0000-memory.dmp

Filesize
4.0MB

Download
memory/2516-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2844-14-0x0000000002710000-0x0000000002B10000-memory.dmp

Filesize
4.0MB

Download
memory/2844-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2844-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download