4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6b

Analysis

max time kernel
96s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe
Size

6KB
MD5

ee5930bb9076e40cdd90c55627030230
SHA1

9ecb1f4ddaef9c4263d235dee484d4f69f653074
SHA256

4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6b
SHA512

f74be7f062436c4cac3ea88c25ae7647ffb75442f4fbaeef789e666716075eebd5432cc156ff6d3f25b3afe95cdab45cae80f2fb935f8b0e5083ae7e52be21b7
SSDEEP

48:6uwMhQUAcp/pezm4JoXcA2hb/mumquIFyG1laAXJtyBSUVDlyCS7D1g+dfKoaxZJ:Kpclpea/Umq5o2ty4UxgCgS6YX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe

Executes dropped EXE 1 IoCs

pid	Process
3724	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3724	1272	4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe	83
PID 1272 wrote to memory of 3724	1272	4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe	83
PID 1272 wrote to memory of 3724	1272	4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe	83

C:\Users\Admin\AppData\Local\Temp\4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe
"C:\Users\Admin\AppData\Local\Temp\4aee9c6d2a335331df0f2f83db28d5962c21d6dbc2e52d4982d21540f5b86a6bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
6KB

MD5
aaa494d6a313ed0118e5adcc20a3be70

SHA1
241332c9a391637eb52f09300d8ea4e54a75d97f

SHA256
4cea2b12cdacda21e673abb5e5293821903fef31ffc4a68e06aa75e1cb4aafc5

SHA512
6bcc642905df61dcb98c86161e6a52ea53b65f1b832f5a23235f7765ca8cdc9f7e319d423ae8b192851c8cccf8d32784fc6186151ff18cc46968cd29bd90b48f

Download Submit