b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230

Analysis

max time kernel
110s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe
Size

25KB
MD5

43c5b64bf8421ac64c13fe39d8d99120
SHA1

bef3e685ac85addc50a41d36be2c959a3f82cedc
SHA256

b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230
SHA512

c410679de4ceccb6c8552288e9e699853df55b6f505f906a7b2201024c6b52885f6ab94b61c94bf52040a3b6319f893ab1a6f9c5d3dd35f40a58f6ffd8c5d4b3
SSDEEP

768:jepHpMRuviPuvvaVeRMF71HYN/9sq7isXFHJ:ypHp25wvaVeR071HYV9rFJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1616	920	b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe	82
PID 920 wrote to memory of 1616	920	b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe	82
PID 920 wrote to memory of 1616	920	b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe	82

C:\Users\Admin\AppData\Local\Temp\b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe
"C:\Users\Admin\AppData\Local\Temp\b31262ab3774c24326b070d1a6d451f4b36118f5382d772d598bc078009d7230N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
25KB

MD5
ad10f919bd9f0322e49797334d8d7f90

SHA1
39bdcab7d4b7f603b892795eada84ac0ce908696

SHA256
7590725e427b39cb9ed888c641834cd1c2fba8decea660ceed9a6690e9d267ec

SHA512
e7b0f0226718be06dac4059c9a9dc3ffe6c26a883068fbc86e1457bc5fab8e2cb8ee1084f97ec7289fb0aad787579427665d6eba661f59bf3bcc154fefdc0116

Download Submit
memory/920-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/920-1-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/920-3-0x0000000002650000-0x0000000002A50000-memory.dmp

Filesize
4.0MB

Download
memory/920-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1616-13-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1616-14-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/1616-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download