Malware Analysis Report

2025-04-03 19:54

Sample ID 241109-xvtwrazgkf
Target 03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3
SHA256 03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3
Tags
discovery upx
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3

Threat Level: Likely benign

The file 03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3 was found to be: Likely benign.

Malicious Activity Summary

discovery upx

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:10

Reported

2024-11-09 19:13

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe

"C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 wecan.hasthe.technology udp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 199.59.21.104.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 wecan.hasthe.technology udp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 40.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 172.67.183.40:80 wecan.hasthe.technology tcp
US 8.8.8.8:53 udp

Files

memory/544-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/544-1-0x0000000000400000-0x000000000042A000-memory.dmp

memory/544-4-0x0000000000400000-0x000000000042A000-memory.dmp

memory/544-8-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rifaien2-LQKwPhPVkTX0ujEQ.exe

MD5 4c08b8eb94379ec62564db9d9ac63589
SHA1 b6f35ad88e5edf43cf46efe54b66be8fd64124e5
SHA256 76404fb1f4838b60b4851b1079023e584038a80f5e246f101a268b666abcd5b3
SHA512 e2483bfc05243b6a95cc2f6ea080d514e30ee85efbf7ab5ec57bb76543865a977ce8e888d300354f2623f69b3ac4fef8568a9b9f1e85228eb469a5fe0447c7c6

memory/544-14-0x0000000000400000-0x000000000042A000-memory.dmp

memory/544-21-0x0000000000400000-0x000000000042A000-memory.dmp

memory/544-29-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:10

Reported

2024-11-09 19:13

Platform

win7-20240903-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe

"C:\Users\Admin\AppData\Local\Temp\03474f220bb5b853264f20c063bc85683ec6f85167356e543e2c30ed7b646bd3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wecan.hasthe.technology udp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp
US 104.21.59.199:80 wecan.hasthe.technology tcp

Files

memory/1732-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-1-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-5-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rifaien2-pHiZKCaERy63YHaC.exe

MD5 390b9272059689896397b8d42894fdb7
SHA1 cf3624296ef32ed4c305dadb6611cb043bee48d9
SHA256 9125f9829a6c31040445d56da59bf3e4090cfe671b2c92b0f48c009be639fa6b
SHA512 6076d9e39a02947e1eca10f9f10d808af398530829facb8f4d855ae7878b723c3699f0ed276ddbb12e9c8c1efa5308312358d69d0b750493dd1fb783bbcb3b36

memory/1732-12-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-22-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-29-0x0000000000400000-0x000000000042A000-memory.dmp