Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 05:06

General

  • Target

    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe

  • Size

    83KB

  • MD5

    704753ac7fb5ce4195feeb4ebf962a48

  • SHA1

    b92fffceceaf0c296c0e36c7d24a232b99a6275f

  • SHA256

    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0

  • SHA512

    cd889664c8f2f0b511a6bcf197bb42911f9a4e7ccba65d76c7a4fd4e8f852aef348b40e45e9f286593704df9797ffe572efef0932b8e15ff240a93855b68356d

  • SSDEEP

    1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+5KK:LJ0TAz6Mte4A+aaZx8EnCGVu5V

Score
5/10

Malware Config

Signatures

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    "C:\Users\Admin\AppData\Local\Temp\e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2148

Network

  • flag-us
    DNS
    wecan.hasthe.technology
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    172.67.183.40
    wecan.hasthe.technology
    IN A
    104.21.59.199
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85500
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------a2accfadb85fc698
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 30 Nov 2024 05:06:47 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 30 Nov 2024 06:06:47 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NNYTbGAh0OjwjKzT8aU3%2BgqBEvT7x6SQ18pEyMk3QBB%2FT9G%2B5c7ktBIG7DV47MTDEZNRjkLb0y%2F8bqLMBHL%2BTETk0isQN6Dtdon2eZn0%2FIOl1Im2p1IfKtOWCt8ebu4GrNZY9IwU9OLI5Q%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ea84f63cd820177-CDG
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85500
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------470abec7db75d186
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 30 Nov 2024 05:07:17 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 30 Nov 2024 06:07:17 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qQCR3VD61AnrbsIQRyIog9ov0%2FZ16DL%2F92didkcvGteX4A%2FjjXETEJxZNAHti7cJ7O5Kej6N6uK2q5P1uxIExCMr6HUAvQTxeVF7%2FAWbtAKSqLmC7V0L8sXepg9SUQFYTpnyXBDX%2BhGx%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ea85021ed38d171-CDG
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85500
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------3d987ca87b7b6e3a
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 30 Nov 2024 05:07:48 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 30 Nov 2024 06:07:48 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NhIirQvb6XHRKd61KtR2WstNcG4Z%2Foq4TDsc3x%2BEsEvrlxV%2Bu02qw0%2BnoDiYH1745eBFq98KxnUn%2Bent%2FGP91QufLRzr1%2B8EqfbqllqKYYThmcTFDHWNTm9dWOckELvB%2B9S6lMKbECwMEw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ea850df9cf903bb-LHR
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85500
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------c9d6541ab9f191f6
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 30 Nov 2024 05:08:18 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 30 Nov 2024 06:08:18 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ds3nk%2BEIE5nMzYPnPWIByWjv32rZBGk6w8MRzDLwfrnwncncIIbHSY8aerAuFnjM6G7OCe7UCagELc5ScRbaa%2FLFmEDjgDY1c4%2B5V2nRli2sX7vR8zIlZwMiQaNgS5%2FM2vnUMl7E2ZOyOA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ea8519d2c8703ff-CDG
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    88.7kB
    2.4kB
    74
    39

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    88.7kB
    2.1kB
    74
    32

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    88.7kB
    2.4kB
    74
    38

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    88.7kB
    1.8kB
    74
    24

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    e8c406a15ea6602ea585eb7922a80d073c6a3cc4ede0d3c2843041ffa2e0c2e0.exe
    69 B
    101 B
    1
    1

    DNS Request

    wecan.hasthe.technology

    DNS Response

    172.67.183.40
    104.21.59.199

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-lmNJqq9oIShvuBOE.exe

    Filesize

    83KB

    MD5

    b52c49978ece90f6c653c1292d4833fe

    SHA1

    82ec47d142cd4507d8ea9634d2d0f30e3a70b78b

    SHA256

    b5d4d0d33ebb338e11fbdf8d0fd9a69f2f24ca78f0699e426f092b6fc21cd6b8

    SHA512

    b3ef2cea577f923d857847eb11220888724f7c1e3d5b06d21a3afb186de5543b53acf6652835bc6d25d5481c654790dd08c91aecbd9f88100e06edca401b6d1e

  • memory/2148-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2148-1-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2148-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2148-12-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2148-22-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2148-29-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.