Analysis Overview
SHA256
5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfb
Threat Level: Likely benign
The file 5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 18:11
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 18:11
Reported
2024-11-09 18:13
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
103s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe
"C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
Files
memory/2428-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2428-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2428-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2428-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-MEpN7Vs9JTadWJDr.exe
| MD5 | a8c5e9b73250ea79ca8978d3239a3934 |
| SHA1 | 1f275f222aa0a259f36e98a232fee5114e4f3e5b |
| SHA256 | 1a65c17a05658abb72f001df4582beb51a3ff37a5ae8ab7adaed0b240b4d73ae |
| SHA512 | d51c2730bf03830d24b3361dccd15785fb9073817e1bf9c10ef51518faaabc3ca515e73158ae94f1b986950eeca94a56b1a32f0e331de1de441cde451013ef01 |
memory/2428-15-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2428-20-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 18:11
Reported
2024-11-09 18:13
Platform
win7-20240903-en
Max time kernel
110s
Max time network
96s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe
"C:\Users\Admin\AppData\Local\Temp\5a31f0e5ac9497b98769e77e1aeba6d13de9c333386a58404037cb28f7618cfbN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/3048-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3048-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3048-5-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-3zhg9hkSIHJ2AY4n.exe
| MD5 | ca3249faa186fe31a1a60dcc2c354b34 |
| SHA1 | b21fc3668b625c082c9670e7e9c99edcc654383e |
| SHA256 | 2f15f8bd6afd3cf0b1e49bbb66c50cadfd4a4afddf3e348a5941065c61a785cb |
| SHA512 | 76dd627eef44c67e0f5d67fd13e7d617ddb8c15f1b17afb3ae36a4eabb0e3e69aed762c067e2d284c617e35e5c4a404655c3835658268af854920465cc121510 |
memory/3048-15-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3048-22-0x0000000000400000-0x000000000042A000-memory.dmp