1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe
Size

63KB
MD5

81533562eef4e06d92370eed47764380
SHA1

7789cbb2a6d0ef86f1d9ce6cd7699520bd9fd58f
SHA256

1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924
SHA512

1f3efab84378f8f00a6bd5935eb00ff8e66b0af4771e1258fc2f1a9e1e573b26ac25d905acc9f1a63b0b3b6dcd2d300f02aeafb2f04c37b2fa56ead502be9160
SSDEEP

768:Nnu40xqzEGPfpgwRlUmSlim61TKFlJVOZR6TIGjaPQfO:NnuupgKUmWdoKzrjy4O

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	budha.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe
2424	1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2696	2424	1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe	30
PID 2424 wrote to memory of 2696	2424	1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe	30
PID 2424 wrote to memory of 2696	2424	1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe	30
PID 2424 wrote to memory of 2696	2424	1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe	30

C:\Users\Admin\AppData\Local\Temp\1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe
"C:\Users\Admin\AppData\Local\Temp\1bf7b75a09054b120c44cee440fb27ed69c676c0020334c6675f8574dd6be924N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
63KB

MD5
3b4bc66b95f8972ddf62ceebb1277fe7

SHA1
b37ede529e4009d9f0e3d38fbd9bfa20bb6f1022

SHA256
4c6d7ae4232ddd7a938a9b46e151eb3917a21f70a7fd8606752a07e104bee817

SHA512
fd8999812b79ec34d4c7511d90e7fc7159146dad10df0c511bc08b895070e3478ec0e6b812bf3ebe2ae8b80b41d025b5966538680e2e6889b87789d7efcb38ec

Download Submit