Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe
Resource
win10v2004-20241007-en
General
-
Target
3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe
-
Size
25KB
-
MD5
38834e8f14f4354dfb89ebfd0c3e4746
-
SHA1
91920f807836ff758bb60372e80623872510184b
-
SHA256
3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef
-
SHA512
b950aaac112e4b7eecc0625ec46f3ae4414db1322ea325a5cc713b9fce3f3d421c01671fffab2fdbcb40392ff54b21df40d7590a8cbcaa6de05b75074ff31ef4
-
SSDEEP
384:PeaIKMHpvxkRuviPuv8eaV8pRMzgBKrcS5Ypc8N/K4lN:PepHpvCRuviPuvvaVeRMFhMN/LlN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe -
Executes dropped EXE 1 IoCs
pid Process 4716 budha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language budha.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4716 5012 3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe 86 PID 5012 wrote to memory of 4716 5012 3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe 86 PID 5012 wrote to memory of 4716 5012 3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe"C:\Users\Admin\AppData\Local\Temp\3b372c78b04c028fd4670e649ca2e13469f768d080a707cc5f84a86f6d9627ef.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5114e2580d6949d8cb2cf634c589383c3
SHA1d227d2f36f9d0f5b3039a67671d6d962515af2c0
SHA2563774cc7e64b1e80f2e22527b0c0e40063a4724dba5592aacf0797d3c6ace4a92
SHA512b56cf7842ff7a79f5f2d5bc316226a853fb268e70c7f7877c9e7277ffe87619cd381fb3931b7ccea9723eff5affa299cddf82528cdc060816c475b89cd790d12