Malware Analysis Report

2025-04-03 19:52

Sample ID 241109-wsla6azbln
Target 5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN
SHA256 5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfb
Tags
discovery upx
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfb

Threat Level: Likely benign

The file 5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN was found to be: Likely benign.

Malicious Activity Summary

discovery upx

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 18:11

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 18:11

Reported

2024-11-09 18:13

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe

"C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 wecan.hasthe.technology udp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 40.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp

Files

memory/2428-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2428-1-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2428-4-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2428-8-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rifaien2-MEpN7Vs9JTadWJDr.exe

MD5 a8c5e9b73250ea79ca8978d3239a3934
SHA1 1f275f222aa0a259f36e98a232fee5114e4f3e5b
SHA256 1a65c17a05658abb72f001df4582beb51a3ff37a5ae8ab7adaed0b240b4d73ae
SHA512 d51c2730bf03830d24b3361dccd15785fb9073817e1bf9c10ef51518faaabc3ca515e73158ae94f1b986950eeca94a56b1a32f0e331de1de441cde451013ef01

memory/2428-15-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2428-20-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 18:11

Reported

2024-11-09 18:13

Platform

win7-20240903-en

Max time kernel

110s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe

"C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wecan.hasthe.technology udp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp

Files

memory/3048-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3048-1-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3048-5-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rifaien2-3zhg9hkSIHJ2AY4n.exe

MD5 ca3249faa186fe31a1a60dcc2c354b34
SHA1 b21fc3668b625c082c9670e7e9c99edcc654383e
SHA256 2f15f8bd6afd3cf0b1e49bbb66c50cadfd4a4afddf3e348a5941065c61a785cb
SHA512 76dd627eef44c67e0f5d67fd13e7d617ddb8c15f1b17afb3ae36a4eabb0e3e69aed762c067e2d284c617e35e5c4a404655c3835658268af854920465cc121510

memory/3048-15-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3048-22-0x0000000000400000-0x000000000042A000-memory.dmp