Analysis Overview
SHA256
04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210
Threat Level: Likely benign
The file 04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210N was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 15:03
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 15:03
Reported
2024-11-07 15:05
Platform
win7-20240903-en
Max time kernel
110s
Max time network
92s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210N.exe
"C:\Users\Admin\AppData\Local\Temp\04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/3056-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3056-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3056-5-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-g7iPp0pJB8QFiFL4.exe
| MD5 | 1c495f2b67a9aa3e140fd0c4a9ebe221 |
| SHA1 | cecfe8c8e2b90d9be25be30f1bdd77271d78842d |
| SHA256 | dcc32f0f460ded09d7609c472922e61a8962507bbaf76722fd16772de5ca63ea |
| SHA512 | ba460704a7d641688a2e4f0eb66e8ad0504ba1e3ebfdb15a61861d89586a05664a7c46157b1399118c5f2cbcfb09840382bd92a2a6490a77f8eebb36aedbb813 |
memory/3056-14-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3056-22-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 15:03
Reported
2024-11-07 15:05
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
95s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210N.exe
"C:\Users\Admin\AppData\Local\Temp\04fa8af11049c4ad44e2ed4a935ed3fe6880fa779ec2d66d62ef4ce4f0af4210N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
Files
memory/3460-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3460-2-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3460-6-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-PQTYMXFlm3soFwif.exe
| MD5 | 31c29766a6fbb81758c9ef335de97576 |
| SHA1 | 3001d4c7013e6fca9a58e532cea5550afd8510bf |
| SHA256 | b3bb125590554496a1c4ef80fae8dc2f04b67391c3222139ffef15de7f88cf6f |
| SHA512 | 4bf030b700133b6ec5f022076c745b7418d0dc786ac8e419f1f6afa2e328c4c273030a7310c4d5efe859610f1aba6e9a051878fa7716c715e72e75563e3a3ac1 |
memory/3460-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3460-22-0x0000000000400000-0x000000000042A000-memory.dmp