Analysis Overview
SHA256
aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c
Threat Level: Likely benign
The file aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:31
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:31
Reported
2024-11-10 01:33
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
141s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c.exe
"C:\Users\Admin\AppData\Local\Temp\aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.59.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/4996-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4996-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4996-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4996-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-6JlIbNAe2vvTpEZz.exe
| MD5 | 1b09ecb91a3def004b24ab01923de81d |
| SHA1 | 0b738f0091c429448489fc5c14ff3b89fdb8dfcb |
| SHA256 | 6b77884c53da890e1f91829842b129d6c7b5ea71f7806db6fc7b4eda5ecd1903 |
| SHA512 | 9942cfec3d073f8647e6b15af46003bb32ba4d465dd8bdf265676e8a00b7726da67e01488950c30b2ef36791cf2f5e7dfa7d427caef33c7ed43e47b48a8423fd |
memory/4996-15-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4996-22-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4996-29-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:31
Reported
2024-11-10 01:33
Platform
win7-20240903-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c.exe
"C:\Users\Admin\AppData\Local\Temp\aa4a86020103667ce07755c39a0f15f476360395cd9aa2565986e8fe0928bb2c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/2272-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2272-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2272-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-Q0Fjz7mLXHRvWCQR.exe
| MD5 | bae0be090c9c7f276febb73584e08863 |
| SHA1 | 0831d144d38834cbf64f62b1915c07346bf2549f |
| SHA256 | 23567909ca573dd36790ec41336309d195d89d2aa7f9b9a9e10dc230584d3e05 |
| SHA512 | f98f25c0ebbd0adc5d5f45deb0f90c9a0787e5ac47f7a33808def901f057ef4ee8fc64002e6753aef5355b142fed2b53015c29b0c1ef7570dcc86dbedcfb0cfc |
memory/2272-14-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2272-22-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2272-29-0x0000000000400000-0x000000000042A000-memory.dmp