Analysis Overview
SHA256
5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2
Threat Level: Likely benign
The file 5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2N was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:12
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:12
Reported
2024-11-09 19:14
Platform
win7-20241010-en
Max time kernel
111s
Max time network
97s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2N.exe
"C:\Users\Admin\AppData\Local\Temp\5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/2568-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2568-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2568-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2568-11-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-FKDWfCXJJqNZuzVC.exe
| MD5 | 5888bef4c9b78ce91bb003306980ca9a |
| SHA1 | eaa609719d4c5e5e8f2868a47588cc6506c5860e |
| SHA256 | 89733621342063bf10d262400d5833f22b34b390594aac2bcb88f96a26a6be7e |
| SHA512 | 4f3470d5c60c2115ddc3697f7bed756ee1e31faed6cc6d3e4f0c19915eddcba196c50662f598c150e7604eed7c4cb20bc266c8be0c7b696a0f1244d50a16f0e0 |
memory/2568-22-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:12
Reported
2024-11-09 19:14
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
98s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2N.exe
"C:\Users\Admin\AppData\Local\Temp\5709f44b73e081f4420c81a0ed8e6be8f6888387ef0c04d1476b006f6963bea2N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4912-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4912-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4912-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4912-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-ZyRGYyyy4J9iiOuj.exe
| MD5 | 6be593b80554d2f139aa940743a403a9 |
| SHA1 | bdfeec422c5d70b95c4f86478567b8f078e3f900 |
| SHA256 | bebb461438ba748b013cead4457ad3011f855c30cc9c248ac876b542208d0cb8 |
| SHA512 | b50a0b1b7e7065b9c5429e8be75dd9f39b3b2fd98c4b6dac23335ea15cf85d42477785fade51e03fe8d04a2f7e8bfab66d5366ea289a5dc5273f97fd0aadd015 |
memory/4912-15-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4912-22-0x0000000000400000-0x000000000042A000-memory.dmp