dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07

Analysis

max time kernel
110s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 21:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
Size

83KB
MD5

9737e48642bc5ab60a65e1836271f5e0
SHA1

c176708c39d7f4320c35716640023cda702c9f24
SHA256

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07
SHA512

dc12d925d918be122894d89d13ce9ae32fc5ef1fd19b2ed0f87611fa64d44e5585566fb5b6f0934242fb56ec609a2bef56d9eca8a54bd30b75dc560062904867
SSDEEP

1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+OK:LJ0TAz6Mte4A+aaZx8EnCGVuO

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2992-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2992-2-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2992-6-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x000e00000001e580-12.dat	upx
behavioral2/memory/2992-15-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2992-22-0x0000000000400000-0x000000000042A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

C:\Users\Admin\AppData\Local\Temp\dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe
"C:\Users\Admin\AppData\Local\Temp\dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2992

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198; domain=.bing.com; expires=Wed, 05-Nov-2025 21:31:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AB1BB46331404BEA8F48170D8BF0F2CA Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
date: Fri, 11 Oct 2024 21:31:33 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=IqBddhOm1aEz8l4-LJweXcAx5OwvdJdY0Cir47mrpRc; domain=.bing.com; expires=Wed, 05-Nov-2025 21:31:34 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B93867FB94844A78AB9476B174BFB4B7 Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
date: Fri, 11 Oct 2024 21:31:33 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=37B9C1CEE99F60F201C7D4DBE8AE6198; MSPTC=IqBddhOm1aEz8l4-LJweXcAx5OwvdJdY0Cir47mrpRc

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D4A61580E0AE4F528CB114EB8CF5B6B1 Ref B: LON601060102011 Ref C: 2024-10-11T21:31:34Z
date: Fri, 11 Oct 2024 21:31:33 GMT
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

wecan.hasthe.technology

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

Remote address:

8.8.8.8:53

Request

wecan.hasthe.technology

IN A

Response

wecan.hasthe.technology

IN A

172.67.183.40

wecan.hasthe.technology

IN A

104.21.59.199
POST

http://wecan.hasthe.technology/upload

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

Remote address:

172.67.183.40:80

Request

POST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------f2b611087a518552

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 11 Oct 2024 21:32:03 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 11 Oct 2024 22:32:03 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2FTKoXK4J%2BryhHb0UP6VQjZsF23lhJq%2B8YV6VnRG0pxrYokE5ynp23cvBnq24N9%2F3GAJaNTAJTSu853Tjt0%2BAQWyZVtFv%2Fzx%2BwCnnqJi9IkG8OtlRZtpyU0gZborl3GVgZeK0h3%2BMW52mw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d11f5ea9fd36397-LHR
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

40.183.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.183.67.172.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
POST

http://wecan.hasthe.technology/upload

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

Remote address:

172.67.183.40:80

Request

POST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------1f24b5b5fbb7e986

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 11 Oct 2024 21:32:33 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 11 Oct 2024 22:32:33 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=In8yMd4joVS6g6xnp0u4LFesy6mU97nxBHquIPlt6dcExD%2FFTUyxQH5VyNUpv1WhCPo5p1HF%2Bwog9yT03UG0IVi5QorqQzpL0P7DqWTP%2BkVPKh4pQWKWwWgzDxvjKt6GzdSnZJSW585slQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d11f6a71b8552d8-LHR
POST

http://wecan.hasthe.technology/upload

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

Remote address:

172.67.183.40:80

Request

POST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85412
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------84424ca96a8dc773

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 11 Oct 2024 21:33:04 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 11 Oct 2024 22:33:04 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4QVDcbB7F3f4KYvpfpIPOugucDEFjS4eC6NUQgdk5JLnbOqxoxDS9y%2BHBLs4TfZAkkt7vt1z6dAVwMv%2Baa7jqUdfTpmucl7YyWsZSNcEm935tNgMwNOSuLsBaIOhOn%2FnHhhCyH%2BkO%2BvELg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d11f763a9e84969-LHR
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86f5bb8cb12549c3bb1feed7506c5bbe&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

HTTP Response

204
172.67.183.40:80

http://wecan.hasthe.technology/upload

http

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

88.5kB
1.9kB
72
25

HTTP Request

POST http://wecan.hasthe.technology/upload

HTTP Response

301
172.67.183.40:80

http://wecan.hasthe.technology/upload

http

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

88.5kB
1.9kB
71
27

HTTP Request

POST http://wecan.hasthe.technology/upload

HTTP Response

301
172.67.183.40:80

http://wecan.hasthe.technology/upload

http

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

88.4kB
2.3kB
70
35

HTTP Request

POST http://wecan.hasthe.technology/upload

HTTP Response

301

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

wecan.hasthe.technology

dns

dc3277701fa6fdf3afd00ccc8c1a1f2cabf5d6300751ab3d600b47d4d0a9cc07N.exe

69 B
101 B
1
1

DNS Request

wecan.hasthe.technology

DNS Response

172.67.183.40

104.21.59.199
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

40.183.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

40.183.67.172.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rifaien2-Sk4ieg2efzhJlKPQ.exe

Filesize
83KB

MD5
3fed4d2deb188796998512a99edd779b

SHA1
be7c03cae87a14a675541bc9f08647eff139dde3

SHA256
8a1e66b079009785dc753382e7292802e13d14256c5d4707cb20858158986b2b

SHA512
c8a8201eae51a603cc368f33bffd403ecf2073bbe7b51aec89ed329de07355730e7c45257966f059367c997c81d50995a24108ffd0bd82d25b640908dcef555e

Download Submit
memory/2992-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2992-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2992-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2992-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2992-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.