Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe
Resource
win10v2004-20241007-en
General
-
Target
ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe
-
Size
28KB
-
MD5
d84d2dbcb23e69ea33def2643cc7b3d0
-
SHA1
0e6797e9de2757bcaa76fc05eed9706e10270758
-
SHA256
ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738
-
SHA512
bdc2b51fdbc7ff7dd09b13705d3f6443fa5f50b39392b413cf17a50dead82f779cf3d5ac34614fa10d5227bfc8d6dc8a8a86197bde5058196ef32cf58984aa81
-
SSDEEP
384:K+m0y4DXFpOQGR9zos2clAKLHRN74u56/R9zZwu99MGRd:Kh0bXOQ69zbjlAAX5e9zjMg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1768 budha.exe -
Loads dropped DLL 2 IoCs
pid Process 1504 ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe 1504 ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language budha.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1768 1504 ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe 30 PID 1504 wrote to memory of 1768 1504 ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe 30 PID 1504 wrote to memory of 1768 1504 ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe 30 PID 1504 wrote to memory of 1768 1504 ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe"C:\Users\Admin\AppData\Local\Temp\ddf6e37745b7ffa8473508d7b9466957aa24c5f5b98c3a144dda62419bdda738N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5826af272563d531cb4e36c55db12bb78
SHA1d7901337094aed513ec418c3e27ab5c712bd35a9
SHA25671a4c390f775d5b5c6a2b9fb5dc960d28533a6275cf34d66406cc36c5effab87
SHA512d94459f33edb317b95065ae9ba4527a8e5bba8dbf8303df242a97ecb0b2077848c41a372a4926dccf349a776c2bdc1b4a3bb6d630b9d9567ca4a111db09395db