a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4e

Analysis

max time kernel
95s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe
Size

20KB
MD5

6f72fcb54cea3c2f6b2181cd4f27a930
SHA1

63a4371d95e0afcfa919ef784335d4fea670ff24
SHA256

a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4e
SHA512

b7c2fafb58e8862e0fafd5bea54d09e874c1e9136871af57f581d93c967eccb98f8a351b1aad698182422c35e28fa753070701aedaaf9b5eb7404e0612a8c0df
SSDEEP

192:x2Xn7CQWRIgaXE2Vu3zDbNuOWn+UG0vq01CkCz9WQQ4H8qXpZQFVHf6Ej77fzUV7:xiOQWRIga02iBunne0vq0/Cz9W5q5867

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1724	1440	a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe	82
PID 1440 wrote to memory of 1724	1440	a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe	82
PID 1440 wrote to memory of 1724	1440	a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe	82

C:\Users\Admin\AppData\Local\Temp\a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe
"C:\Users\Admin\AppData\Local\Temp\a5367e305d1444426ecee4ee30bea88bb5b48fbce62266e70aec80932a27ba4eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
20KB

MD5
55a9c0e02a60b13f5c2f9b4c6c2dc376

SHA1
0c83a6cf9ebe1e8102e26ff7ab9be495001d55e4

SHA256
80ad6a8843e98471e77957d25b598c74edd017b4c2f9179ba2fac399e6646106

SHA512
dbf72bcce9e915e2d005a75b0c5c9145f4c9c010c1b6ac43bfaacacae6aecceccb36c2438fd57ef96eae82e86952a6fa65198d054eb8b1aafcb62dbe5c275dff

Download Submit
memory/1440-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1440-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download