Malware Analysis Report

2025-06-15 23:13

Sample ID 241109-nbg86stckd
Target b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N
SHA256 b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590
Tags
discovery upx
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590

Threat Level: Likely benign

The file b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N was found to be: Likely benign.

Malicious Activity Summary

discovery upx

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 11:13

Reported

2024-11-09 11:15

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe

"C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 wecan.hasthe.technology udp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 199.59.21.104.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2932-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2932-1-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2932-4-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2932-8-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2932-11-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rifaien2-AiQdqwcSb9bKqaIO.exe

MD5 204e0228d38810376e15828ac4f5d7d5
SHA1 3ed2626d98de4fb46de338a7b9006b712917215a
SHA256 c85b22dd1a8fcd26f095663e6b1c6de1a73d03bfcfdf28a16ba2208c5bc4d0e8
SHA512 2fee6e8d80aa9d9fdf0da079162332b0c9362246e3505766c0a0521c1328ad3ac834f44f769ca90fb23dfdc7ed90338d2c51cb3fa56ebcfa2549d6dec0d79e93

memory/2932-15-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2932-22-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:13

Reported

2024-11-09 11:15

Platform

win7-20241023-en

Max time kernel

119s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe

"C:\Users\Admin\AppData\Local\Temp\b7ae0210aa6a545953f8fdca75f5814b11887dfb616eca738c0c70374584d590N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wecan.hasthe.technology udp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 172.67.183.40:80 wecan.hasthe.technology tcp

Files

memory/1628-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1628-2-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1628-6-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rifaien2-lVhBdJ3UPWCyBtO6.exe

MD5 5b9af1f50f08e867364342ac83af8c32
SHA1 bb903393863cdbdf8c800fd270f5a89e2d0087f7
SHA256 1bcb3d5c644f02198c7ed27b76b56cbf3ee9372ed916320637b1fce062cd4ef1
SHA512 d80e41e646394aa3ffc50f5019eb601af5d2dd397b1c307bd35fae77eee3c678ce58e8fc8f65966464132990a03fe8853655b691a31b0558ce671388a3a73479

memory/1628-16-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1628-23-0x0000000000400000-0x000000000042A000-memory.dmp