Analysis Overview
SHA256
04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42b
Threat Level: Likely benign
The file 04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42bN was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:08
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:08
Reported
2024-11-09 19:10
Platform
win7-20240903-en
Max time kernel
110s
Max time network
91s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42bN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42bN.exe
"C:\Users\Admin\AppData\Local\Temp\04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42bN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
Files
memory/2088-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2088-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2088-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-EdktEMqJIs36pHHz.exe
| MD5 | 820defc294c58573aed17c31f3a5ad46 |
| SHA1 | 8dba6012b7681cda1f49d6401eead851cbcfe0cb |
| SHA256 | f1a1dbfe3168648decfc8ab632d74f6c01278d6eeafd5efbc5f590b4caedfc3a |
| SHA512 | 8718ab907bc54b9ddfdc65c448aca40832df07f362b35abbc037fc7bcb1226435e80661f6f7069478aa700febe4c1520aa6c78c5a19f9ac9e62c3f06e386c60e |
memory/2088-14-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2088-22-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:08
Reported
2024-11-09 19:10
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
94s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42bN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42bN.exe
"C:\Users\Admin\AppData\Local\Temp\04cfc00fb1454c9c2d30d11a84ae18f58eedfa3a0d6e073a88d5e729986ce42bN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 199.59.21.104.in-addr.arpa | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/5084-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5084-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5084-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5084-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-fXtrK3jzXnYQJ6Ms.exe
| MD5 | 6d38c36cc1f9c873b9ae713847a8253e |
| SHA1 | 68017c5acc7cbe50877a5cda2dd56486601ea9f9 |
| SHA256 | 1346fa72f11c9917cbec040d9f88ae14462107c56bf9f15772b62cf3dcb0ea7c |
| SHA512 | 491b5526daa9796387d9a4bfa3089583103758e6f78c845af467447fd8c00e9355c328bcd43b6e59fe1709b018903cead9e7448faecf9c5b0a40dacbc674b5b8 |
memory/5084-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5084-20-0x0000000000400000-0x000000000042A000-memory.dmp