Overview

overview

7

Static

static

7

7e9f1d0cb7...0N.exe

windows7-x64

7

7e9f1d0cb7...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    110s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 08:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe

  • Size

    83KB

  • MD5

    7e9f1d0cb782fc43dd120a0f52bb61a0

  • SHA1

    2a1d7a87bb026822a02ab79a0292cb41d565dda8

  • SHA256

    8726f323fc53309faef66f2d0245f0c9c1e4eb2e9c0533c16b4961a565c867fe

  • SHA512

    815afa44089ccb53f9d9b11d7e4be00b7abde2c9b5fcb8b635ced35acb0e905ff4eef114505b4a0510b6699d9a11e7772fd68ebe55157e5e2bf89deefe9f8848

  • SSDEEP

    1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+5K:LJ0TAz6Mte4A+aaZx8EnCGVu5

Score
7/10
discoveryupx

Malware Config

Signatures

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\7e9f1d0cb782fc43dd120a0f52bb61a0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4296

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    wecan.hasthe.technology
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    172.67.183.40
    wecan.hasthe.technology
    IN A
    104.21.59.199
  • flag-us
    DNS
    wecan.hasthe.technology
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
  • flag-us
    DNS
    wecan.hasthe.technology
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
  • flag-us
    DNS
    wecan.hasthe.technology
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------00d87f7f43bb4b71
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 15 Sep 2024 08:55:22 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 15 Sep 2024 09:55:22 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O1AM54fFsoJYjRwiaOk4CjpTO6%2FbLSBWKc6tQSXq2vAGIqPodgAgJDn%2FfCw7ILXcEvmY%2F0YsIvMMXpmagkEFt%2BdylYrPHNB1xSYZMLyEHwTOboOdLZVpG%2FQM9ZwhlPtNpIQ1Ok4SLUrCRQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c3765ba2ee8946f-LHR
  • flag-us
    DNS
    40.183.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.183.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------5f16be255c317a65
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 15 Sep 2024 08:55:52 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 15 Sep 2024 09:55:52 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pHwaZGaYfUt6W9RiY6Op%2F04ryF7TUYtcs6LbLWxdKxUFmPdTKUphVZD5NuyD81K7kIbE1pEg3L%2Fao0ecc8ymcJLvFE0AEPFMLSvYVSJTJNafVRKyKdxhixMmIKneNHDFFkKKNeTqzRfKZQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c376676bceb776e-LHR
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------5284244f609779e6
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 15 Sep 2024 08:56:22 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 15 Sep 2024 09:56:22 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZlgGysZQv7DZJGK0VgdWufi9dC1HZIyzd%2FofYx01FddeD%2F%2Bl%2FrJx12mcjOwB%2FG%2Bxp%2FW3rzIfIqvBJhTMelwTEopeTm3p24dK1idrRisaWdi1eTzYNIMKpHzTIJnl3vnNZoPuqdkZge5PrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c3767337cd86382-LHR
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    88.8kB
     2.3kB
     73
    36

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    88.5kB
     2.3kB
     71
    37

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    88.5kB
     2.1kB
     71
    32

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    7e9f1d0cb782fc43dd120a0f52bb61a0N.exe
    276 B
     101 B
     4
    1

    DNS Request

    wecan.hasthe.technology

    DNS Request

    wecan.hasthe.technology

    DNS Request

    wecan.hasthe.technology

    DNS Request

    wecan.hasthe.technology

    DNS Response

    172.67.183.40
    104.21.59.199

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    40.183.67.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    40.183.67.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-YkOwTfS0DAVJdDy8.exe
    Filesize

    83KB

    MD5

    42bb83a839a448ce8e3b7706b4b0b19f

    SHA1

    e425cb0c4b4f1a1e1579ef36529dd420d6e8f95b

    SHA256

    797cbebabe13f6d83da20c59d9d183bfac2ca6843ccdb839c9d81a07e4cd9219

    SHA512

    30f24c531d28eead433ba806d465bda782a5c674a10e1fd338816be4353a761cd89c551c5abfb2ef3ef0f673407fe8044f779d298d518ddeb56ea5e66e9963b4

    Download Submit

  • memory/4296-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4296-2-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4296-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4296-9-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4296-16-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4296-23-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.