48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bf

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe
Size

41KB
MD5

9a541407d653e19e5058b01bd47cbad0
SHA1

9d38765e68b5ad4a9d6a5e56a21975adbae36447
SHA256

48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bf
SHA512

c4262c9ea2c8919fb5b38f2f4f111298c4bb208d66b293655e5dc21d11d4c334fe8e3c26a22c8b1c82a2b92bea3d7596d481254c8078a718abb251715fcf7327
SSDEEP

768:y2cKhY94XKj9wGzfcgtgAvH2bEzPfi+pbWYF9:xcKhY9aMdj28flI49

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe

Executes dropped EXE 1 IoCs

pid	Process
5020	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 5020	1268	48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe	82
PID 1268 wrote to memory of 5020	1268	48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe	82
PID 1268 wrote to memory of 5020	1268	48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe	82

C:\Users\Admin\AppData\Local\Temp\48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe
"C:\Users\Admin\AppData\Local\Temp\48ed3e2f3b371b9518f80ca424e97fe37becb83e1b80ff4136129de5136015bfN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
41KB

MD5
9cb829992fa78d13215715ae5267c708

SHA1
53c4ce01b9f5e2d9463326ada2a3ee67c499982c

SHA256
aa412ae1eb09f64b1b202d1bcbb53367fd13947b7d1b9316e198b55a6b4be346

SHA512
5b5e65da4e03277f4c014ba6dc13b03ce11cc36b5f8075e4351853ab81a2509efe0a921611fd5f3aa417d845cd5282cc8e763d25f58c92a8e10366c649557475

Download Submit
memory/1268-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1268-1-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1268-2-0x0000000002150000-0x0000000002157000-memory.dmp

Filesize
28KB

Download
memory/1268-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5020-12-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/5020-13-0x0000000001EC0000-0x0000000001EC7000-memory.dmp

Filesize
28KB

Download
memory/5020-14-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5020-16-0x0000000001EC0000-0x0000000001EC7000-memory.dmp

Filesize
28KB

Download