Analysis Overview
SHA256
03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3
Threat Level: Likely benign
The file 03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3 was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:10
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:10
Reported
2024-11-09 19:13
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe
"C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.59.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/544-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/544-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/544-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/544-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-LQKwPhPVkTX0ujEQ.exe
| MD5 | 4c08b8eb94379ec62564db9d9ac63589 |
| SHA1 | b6f35ad88e5edf43cf46efe54b66be8fd64124e5 |
| SHA256 | 76404fb1f4838b60b4851b1079023e584038a80f5e246f101a268b666abcd5b3 |
| SHA512 | e2483bfc05243b6a95cc2f6ea080d514e30ee85efbf7ab5ec57bb76543865a977ce8e888d300354f2623f69b3ac4fef8568a9b9f1e85228eb469a5fe0447c7c6 |
memory/544-14-0x0000000000400000-0x000000000042A000-memory.dmp
memory/544-21-0x0000000000400000-0x000000000042A000-memory.dmp
memory/544-29-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:10
Reported
2024-11-09 19:13
Platform
win7-20240903-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe
"C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/1732-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1732-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1732-5-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-pHiZKCaERy63YHaC.exe
| MD5 | 390b9272059689896397b8d42894fdb7 |
| SHA1 | cf3624296ef32ed4c305dadb6611cb043bee48d9 |
| SHA256 | 9125f9829a6c31040445d56da59bf3e4090cfe671b2c92b0f48c009be639fa6b |
| SHA512 | 6076d9e39a02947e1eca10f9f10d808af398530829facb8f4d855ae7878b723c3699f0ed276ddbb12e9c8c1efa5308312358d69d0b750493dd1fb783bbcb3b36 |
memory/1732-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1732-22-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1732-29-0x0000000000400000-0x000000000042A000-memory.dmp