Analysis Overview
SHA256
49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65
Threat Level: Likely benign
The file 49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65N was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 06:22
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 06:22
Reported
2024-11-10 06:24
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65N.exe
"C:\Users\Admin\AppData\Local\Temp\49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 104.21.59.199:80 | wecan.hasthe.technology | tcp |
Files
memory/2180-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2180-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2180-5-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-vzQ0QtHVHfPdlNcC.exe
| MD5 | ac07f0e521cedfd7d143d3c91b92ac53 |
| SHA1 | 0c8dc5f90f43b1972589685f139f4426e28ee884 |
| SHA256 | aa493ed6376487782e36a4ff83e71f0c22af1009596d1506623e2c2673ca0770 |
| SHA512 | 5f997ccef0c2726915de2dcf91f4c37b6b797050adc9ba878dfe326c4d453ea6f81597b53c8ee65e59b4394b92223882abac3eed950293d71e7b8143b2c0e18b |
memory/2180-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2180-22-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 06:22
Reported
2024-11-10 06:24
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65N.exe
"C:\Users\Admin\AppData\Local\Temp\49f29a07d40ac49d7eda38f9799c1cec33b5f199560e3458ee59c4a6bb611d65N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wecan.hasthe.technology | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 172.67.183.40:80 | wecan.hasthe.technology | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/508-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/508-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/508-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/508-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rifaien2-Vw2r4FTDTRaaOwec.exe
| MD5 | 3e47294526648acdfb293ef595c48d50 |
| SHA1 | e6429cb7902abfd4e589d2fd8aba12b6d329dc73 |
| SHA256 | e6c025426865717605e880329471bbd1e0b69a3d50fb88394ef9a3ede15ae682 |
| SHA512 | cd7014a907c7b77857822d8d99f1a81d97af6f7bc38438e318d32ea11a6dc441d8cf3bfbea74bff10640a22892e7630aa3ecc78022418287af1367634e4ed9b3 |
memory/508-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/508-21-0x0000000000400000-0x000000000042A000-memory.dmp