Analysis Overview
SHA256
e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092a
Threat Level: Likely benign
The file e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092aN was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:39
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:39
Reported
2024-11-10 01:41
Platform
win7-20240729-en
Max time kernel
110s
Max time network
103s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092aN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092aN.exe
"C:\Users\Admin\AppData\Local\Temp\e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092aN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/2264-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2264-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2264-5-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-R15CVWfdnawYuHyO.exe
| MD5 | d1867e3d5de28f5d7af30b31d458a1c9 |
| SHA1 | b19dfe54ab54c02b40d6afb89b470c0ea2c874a3 |
| SHA256 | 0326059f5d1c7c46284f75540f14b3a8d236fa9df4c785e6500b5f60be43a58a |
| SHA512 | e7dbe110506080ef951a311e20819ed0349a452b0bcfc1c5bcde98420c4285a31ab6c8bb173a7eb6c52cef37833b95c898a5f15920651ba38622005332a53810 |
memory/2264-16-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2264-23-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:39
Reported
2024-11-10 01:41
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
100s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092aN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092aN.exe
"C:\Users\Admin\AppData\Local\Temp\e6d1d2aedf359cd8cb25c78570472d2241c86b6ef53743394cf67a20f81d092aN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 199.59.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
Files
memory/4196-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4196-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4196-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4196-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4196-11-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-KZLObZmZPwrsCwAU.exe
| MD5 | 7481ba3cb0cf2a86bdba2c840911ff73 |
| SHA1 | d7b1a30a91b60503ca7306ede70948195f6269d4 |
| SHA256 | 03de2fe1b6620af85a952809d25ce3a75a1f7c51176d3b95afd313b590efd9db |
| SHA512 | 99ad23878554021bfd7ade8377dd0ef48b3cf282d4a6ac1d3fffdb32127fa3d1f6fe551cbe0391e92da18da9cfe39ba144ecd7f7a5e62b636b25ef1cecbd9fe2 |
memory/4196-15-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4196-22-0x0000000000400000-0x000000000042A000-memory.dmp