Analysis

  • max time kernel
    120s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 18:28 UTC

General

  • Target

    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe

  • Size

    83KB

  • MD5

    5b29129f78bd1926edfae104fe6ba2a0

  • SHA1

    b9c850e885d5575655af30d8935983501317f23d

  • SHA256

    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59

  • SHA512

    e9e357b395b5205f037fc7ffc9f04d43001a075a9a654c7bbfc29484d2f3a14085942a9b00092fc5470fee0ffdbe24fd5493a66074ae2aeabac0d72867972217

  • SSDEEP

    1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+QK:LJ0TAz6Mte4A+aaZx8EnCGVuQ

Score
7/10

Malware Config

Signatures

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    "C:\Users\Admin\AppData\Local\Temp\80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4832

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.227.11
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    wecan.hasthe.technology
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    172.67.183.40
    wecan.hasthe.technology
    IN A
    104.21.59.199
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------45e012efd7e3d8e2
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 21 Sep 2024 18:29:36 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 21 Sep 2024 19:29:36 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dfsZefQbLdmyPve6LLTfEIKrIWzpdFrBcY7D2ccvjjheLqDrCDs7APvSWNGhO1tE5BnoyXLSWm0h%2BX73BrB2YwlEIAywKQwtH5wP%2FUIxZN6x1eGjKKnpQm22hweSj98HiU96bpiJ4TJxcA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c6c1f245d1b9472-LHR
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    40.183.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.183.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------7f5e7fc83099e26b
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 21 Sep 2024 18:30:06 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 21 Sep 2024 19:30:06 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y6enJM9AKAYfRNF2PYeSnSGPTvlYa9IPkOU2c0khJ%2FrwL4JcMsFxX66%2FusSSWJpYYBRk4YbmzhiDF%2Fn%2FzTXXHEdGdCoMxyg4WiGkNCBjb2ikQ76N4AKNsIflGsulb9bDf7VGkQUyI%2BTLow%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c6c1fe12b1560f9-LHR
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
    Response
    25.140.123.92.in-addr.arpa
    IN PTR
    a92-123-140-25deploystaticakamaitechnologiescom
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85412
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------e00caf320f3fdfe1
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 21 Sep 2024 18:30:36 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 21 Sep 2024 19:30:36 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A0EhhgctdAJbpbmmmqPYrq%2FjfZspz6R9sx%2FDB598HzvfPncAw76ZZ9uxdYWsUjvRzkjAibacJ%2Fpa5iKH%2BUNOdlFJGdAjuni8MKRzDkzVaWRRvLKPVmT%2FQV%2BIWwB9GzZp9FJFs5k8NVl1wA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8c6c209de93d7756-LHR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    88.5kB
    2.1kB
    71
    32

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    88.5kB
    2.1kB
    71
    30

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    88.5kB
    2.3kB
    71
    36

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    148 B
    299 B
    2
    2

    DNS Request

    154.239.44.20.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.227.11

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    80d55cd24979c59fdfaf5c05648a27c74b50ad9373f0a61450f005c71debdc59N.exe
    69 B
    101 B
    1
    1

    DNS Request

    wecan.hasthe.technology

    DNS Response

    172.67.183.40
    104.21.59.199

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    40.183.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    40.183.67.172.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    25.140.123.92.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    25.140.123.92.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-Lux0L5qT6nPDyW2B.exe

    Filesize

    83KB

    MD5

    ac91de7437a4477dd4e5ae5a822402ed

    SHA1

    91b355d53858f96f5c63f4be9d7b99909404fefd

    SHA256

    5f00db62cdd65d7ae5c5b1c6ad6b88d267bd9e816fad366cfe3e43a68edaf08d

    SHA512

    91236e4cd53f7f20c8898ebfdea4a511c41b94748804fcb94774a66bfcc375d9ed4aec28cc18594e65ac4d8503855b6baf09d15c6308d46e21f553cc4d170074

  • memory/4832-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4832-1-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4832-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4832-8-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4832-12-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4832-19-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.