Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 18:28 UTC
Behavioral task
behavioral1
Sample
80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
Resource
win7-20240708-en
General
-
Target
80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
-
Size
83KB
-
MD5
5b29129f78bd1926edfae104fe6ba2a0
-
SHA1
b9c850e885d5575655af30d8935983501317f23d
-
SHA256
80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59
-
SHA512
e9e357b395b5205f037fc7ffc9f04d43001a075a9a654c7bbfc29484d2f3a14085942a9b00092fc5470fee0ffdbe24fd5493a66074ae2aeabac0d72867972217
-
SSDEEP
1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+QK:LJ0TAz6Mte4A+aaZx8EnCGVuQ
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4832-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00080000000234fe-11.dat upx behavioral2/memory/4832-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-19-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
Processes
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.11
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwecan.hasthe.technologyIN AResponsewecan.hasthe.technologyIN A172.67.183.40wecan.hasthe.technologyIN A104.21.59.199
-
POSThttp://wecan.hasthe.technology/upload80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------45e012efd7e3d8e2
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 21 Sep 2024 19:29:36 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dfsZefQbLdmyPve6LLTfEIKrIWzpdFrBcY7D2ccvjjheLqDrCDs7APvSWNGhO1tE5BnoyXLSWm0h%2BX73BrB2YwlEIAywKQwtH5wP%2FUIxZN6x1eGjKKnpQm22hweSj98HiU96bpiJ4TJxcA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c6c1f245d1b9472-LHR
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request40.183.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
POSThttp://wecan.hasthe.technology/upload80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------7f5e7fc83099e26b
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 21 Sep 2024 19:30:06 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y6enJM9AKAYfRNF2PYeSnSGPTvlYa9IPkOU2c0khJ%2FrwL4JcMsFxX66%2FusSSWJpYYBRk4YbmzhiDF%2Fn%2FzTXXHEdGdCoMxyg4WiGkNCBjb2ikQ76N4AKNsIflGsulb9bDf7VGkQUyI%2BTLow%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c6c1fe12b1560f9-LHR
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
POSThttp://wecan.hasthe.technology/upload80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------e00caf320f3fdfe1
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 21 Sep 2024 19:30:36 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A0EhhgctdAJbpbmmmqPYrq%2FjfZspz6R9sx%2FDB598HzvfPncAw76ZZ9uxdYWsUjvRzkjAibacJ%2Fpa5iKH%2BUNOdlFJGdAjuni8MKRzDkzVaWRRvLKPVmT%2FQV%2BIWwB9GzZp9FJFs5k8NVl1wA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c6c209de93d7756-LHR
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe88.5kB 2.1kB 71 32
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe88.5kB 2.1kB 71 30
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe88.5kB 2.3kB 71 36
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301
-
148 B 299 B 2 2
DNS Request
154.239.44.20.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.11
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
8.8.8.8:53wecan.hasthe.technologydns80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe69 B 101 B 1 1
DNS Request
wecan.hasthe.technology
DNS Response
172.67.183.40104.21.59.199
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
40.183.67.172.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5ac91de7437a4477dd4e5ae5a822402ed
SHA191b355d53858f96f5c63f4be9d7b99909404fefd
SHA2565f00db62cdd65d7ae5c5b1c6ad6b88d267bd9e816fad366cfe3e43a68edaf08d
SHA51291236e4cd53f7f20c8898ebfdea4a511c41b94748804fcb94774a66bfcc375d9ed4aec28cc18594e65ac4d8503855b6baf09d15c6308d46e21f553cc4d170074