Analysis

  • max time kernel
    110s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 06:48

General

  • Target

    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe

  • Size

    83KB

  • MD5

    8ed803d3236e51db4ed193fc17c127e0

  • SHA1

    faa1ece1467a351231def1e37802801fdcf473b0

  • SHA256

    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0bae

  • SHA512

    f58a4485077525f2279b662ef29c5c1f693e93e3cd009629d3e4c62fcc3677d112dcf5b964720ed0eec878731fe6843137f5c1c0e7c3f2cf4f4c24d5b44b9aaf

  • SSDEEP

    1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+PK:LJ0TAz6Mte4A+aaZx8EnCGVuP

Score
7/10

Malware Config

Signatures

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    "C:\Users\Admin\AppData\Local\Temp\d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2584

Network

  • flag-us
    DNS
    wecan.hasthe.technology
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    172.67.183.40
    wecan.hasthe.technology
    IN A
    104.21.59.199
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------b894543854e7433c
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 19 Sep 2024 06:48:53 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Thu, 19 Sep 2024 07:48:53 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1gIs0CN9pE0EajsO9A7EAL%2F7Y0htaA9ao8YrnJCw%2F2iCbrPiueCmhcZfV7hCi%2FOOP8hxJzOHLq3M7lQAd0fsToILuPzrQr8qAh4Mo6kqlgJvl1d3sGst%2BCheVyh1HGIdAAEm2YRLFJW1KA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c57a1f7cdbecd6f-LHR
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------d33273d0df3d7adb
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 19 Sep 2024 06:49:24 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Thu, 19 Sep 2024 07:49:24 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qm%2BKEqpe3r0NOwayMNAm2XwK7fBFsF9KS7xI0lXXWAtyO7LkK%2FaYQi6HeRC5jvwZbSt6xN5BPlFDFgsXfkQJlaaFZB3Ys%2FUZA7jUMEFD5vzrnW%2F6RtUUAPPgcKtidCzpxcwOHjIailVjWA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c57a2b53cb5948e-LHR
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------ca007d325883faef
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 19 Sep 2024 06:49:54 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Thu, 19 Sep 2024 07:49:54 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CVWT7w1D2WFpNv4rkssPMR6J8QViGloImrpU%2B%2FAI81ny8%2BSP%2BfgdpeH6UUuNeon6cdFx3l2pBETEHfRfCTaAh0nkjGEkY4pgd9%2FvCFXFYNS49ZhR900tZfPvHjfR9mCLbYoIBuEQLdjS9g%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c57a3728adb77b7-LHR
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    88.6kB
    2.3kB
    74
    36

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    88.6kB
    2.4kB
    74
    38

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    88.6kB
    2.4kB
    74
    38

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    d46479afa539214cc3210743d6c36c8ff6b301a9f777722240987aa95f3b0baeN.exe
    69 B
    101 B
    1
    1

    DNS Request

    wecan.hasthe.technology

    DNS Response

    172.67.183.40
    104.21.59.199

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-qivallkN2sxUgHeN.exe

    Filesize

    83KB

    MD5

    69a2588d2e5843649b2d79ff47b32e25

    SHA1

    3cb38bdea5f070602e1d1c549b001cfdffba435a

    SHA256

    45a8158053f109de8edd4cf8f91bb05618c3d00ab98d0a33b274be2b15377ead

    SHA512

    d7255457e643373a491ae3f86536454f497685950223442b8c3b64243cc1660dca373f61cef0c9c681968de418545842c6bef5ba68ffc82177e5a6f9aca28e91

  • memory/2584-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2584-1-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2584-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2584-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2584-22-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.