3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3f

General

Target

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe
Size

83KB
MD5

36c4872aa1b3302b5d07a2af8795aa20
SHA1

cac9cf3082a1c08299f97e0d3050377f066095d2
SHA256

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3f
SHA512

5b09ec0b110d220852a11db12e1e2017379a1645a95440357467aa0a657fff3cf0d1246ae95e138f0974ea4ecfbcba7ae3890fd15f84173cae44092855d68876
SSDEEP

1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+LK:LJ0TAz6Mte4A+aaZx8EnCGVuL

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2704-2-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2704-6-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2704-12-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0009000000012102-13.dat	upx
behavioral1/memory/2704-16-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2704-23-0x0000000000400000-0x000000000042A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

C:\Users\Admin\AppData\Local\Temp\3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe
"C:\Users\Admin\AppData\Local\Temp\3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2704

Network

DNS

wecan.hasthe.technology

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

Remote address:

8.8.8.8:53

Request

wecan.hasthe.technology

IN A

Response

wecan.hasthe.technology

IN A

172.67.183.40

wecan.hasthe.technology

IN A

104.21.59.199
POST

http://wecan.hasthe.technology/upload

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

Remote address:

104.21.59.199:80

Request

POST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------57ac3dac215fc93d

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 04 Oct 2024 20:16:02 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 04 Oct 2024 21:16:02 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xhR3ONzKHsoQviLjiDplcPrRkLxcTO0WStbRjGQWzybd43cF0YCaozM7NVkrL5m2CPzZAdY%2BMTop1toAnnRZLAPn1Th%2F5NRC8wbV2921jCFYYMGNXnbyIuXKAUio%2Fo2%2Fa704vJANCFLFNw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd7d8edf9eb7765-LHR
POST

http://wecan.hasthe.technology/upload

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

Remote address:

172.67.183.40:80

Request

POST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------840a9f21ec75401f

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 04 Oct 2024 20:16:33 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 04 Oct 2024 21:16:33 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSkz3DOB3vnxo5P%2BRrbwHUlBP3yyRLFRwiL1c3xU6A2k0CKUHA8mQSda4s%2BpDVHd4pAOwJ0PEzs4ioMAxSYRTVXDy7OPpbnFP8Ic%2BFvxHPPEPrSlpK30eHAAvYgO5TlxB%2BKzz5in1t%2BPuw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd7d9ac5aee4176-LHR
POST

http://wecan.hasthe.technology/upload

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

Remote address:

172.67.183.40:80

Request

POST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------4298645d747ba13c

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 04 Oct 2024 20:17:03 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 04 Oct 2024 21:17:03 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JNOaefYk6pvIU6liJXPyp7FSmIBr33Ux0%2FVucCFnWpzNyZNDScEX4z%2FLQpGIXAcfq0fzstpac3UbDLwR71zHXK8ud94SM8sMUnNae3LstRoUIAtY15ZH0rKkFHWnE%2BzdvelNIeamQN7Q6g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd7da6a683a79b7-LHR

172.67.183.40:80

wecan.hasthe.technology

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

52 B
1
104.21.59.199:80

http://wecan.hasthe.technology/upload

http

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

88.6kB
3.1kB
74
57

HTTP Request

POST http://wecan.hasthe.technology/upload

HTTP Response

301
172.67.183.40:80

http://wecan.hasthe.technology/upload

http

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

88.6kB
2.6kB
74
44

HTTP Request

POST http://wecan.hasthe.technology/upload

HTTP Response

301
172.67.183.40:80

http://wecan.hasthe.technology/upload

http

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

88.6kB
2.0kB
74
30

HTTP Request

POST http://wecan.hasthe.technology/upload

HTTP Response

301

8.8.8.8:53

wecan.hasthe.technology

dns

3d900727725ddd4d9fb3b8eb6283c541ffa2f062f9a2f6f3c7905079b3684c3fN.exe

69 B
101 B
1
1

DNS Request

wecan.hasthe.technology

DNS Response

172.67.183.40

104.21.59.199

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rifaien2-HZbqboRtTSargPep.exe

Filesize
83KB

MD5
a3e20a3cb80652b33b99b5b016d646f6

SHA1
1ca8d86408740a4ba0dacce244e7a6ceefd349c4

SHA256
d31ae43edb6950382106a12c34c082fcadf1a388744cb54f12721ef47f8bf256

SHA512
07e2ea6675016acf6fbce992acb023d854f9106b5e9b932e2dbf25005cb0850e6e23dad6e5aa8512e711a61257c33e25f59d2a20217a1b81d526cdedcba35cfb

Download Submit
memory/2704-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2704-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2704-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2704-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2704-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2704-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.