Analysis Overview
SHA256
1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0
Threat Level: Likely benign
The file 1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0N was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 10:26
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 10:26
Reported
2024-11-07 10:28
Platform
win7-20241023-en
Max time kernel
110s
Max time network
92s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0N.exe
"C:\Users\Admin\AppData\Local\Temp\1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/1980-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1980-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1980-5-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-odkF66TjtyfQmeqn.exe
| MD5 | 8c9baec3ddd12f93740f89c7adbb38a3 |
| SHA1 | 3dbb0e819181940d27e17019151cd84ac5c70da3 |
| SHA256 | ecb2064b15885327a2a0afc52b89e2927c178049681b008fb82e557f55395a2c |
| SHA512 | d68b4d05d7a06398a31a7edeb0d22306182c5f555be258f51c37fbc4dd57e1c9a5cc47f7e1395d6526e0fab4e58f28140066742b919946513fbb6e7fd6cf1aed |
memory/1980-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1980-22-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 10:26
Reported
2024-11-07 10:28
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
93s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0N.exe
"C:\Users\Admin\AppData\Local\Temp\1c9ed0e8d1a3c83cd87381f6132aa3419dc0a3087beb67a1ce9cdbc3ef431aa0N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4556-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4556-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4556-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4556-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-nK6yZSOTmTO1mTUw.exe
| MD5 | dd673b7344d4510936c114330cb17488 |
| SHA1 | 89791498bbf1ac9eeeeb75ba07fa05c459b3bd8f |
| SHA256 | 8f3e2068959ecd7a4c9c1c7e79285389d23609c30436e75068d23778e7e11001 |
| SHA512 | 340998dd871908270640cc74dce93ae7cab3a1832009e1b88800d1a286a54bac2655d4505e8238891bf3f6a0f722cc820d3b80b2937594a6955ae7e101e25108 |
memory/4556-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4556-20-0x0000000000400000-0x000000000042A000-memory.dmp