Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2024, 05:08 UTC
Behavioral task
behavioral1
Sample
2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
Resource
win7-20240903-en
General
-
Target
2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
-
Size
83KB
-
MD5
ec47b2e3a439d4b1ba2df376fa7f6350
-
SHA1
ca00f5f5957901a39933d8a0652b2ac7667a709c
-
SHA256
2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880
-
SHA512
a7872cdbec2b637569a758a6a32dc82a1080f25c7d942bb0fb9962cf18bee709fdc3072abc66c61194664485d742753b5c29c886a39b762f2383d602341eab54
-
SSDEEP
1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+fKu:LJ0TAz6Mte4A+aaZx8EnCGVuff
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1668-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-2-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000c000000023b93-13.dat upx behavioral2/memory/1668-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-23-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
Processes
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwecan.hasthe.technologyIN AResponsewecan.hasthe.technologyIN A172.67.183.40wecan.hasthe.technologyIN A104.21.59.199
-
POSThttp://wecan.hasthe.technology/upload2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85485
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------a75ee7f6f8994358
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 30 Nov 2024 06:08:40 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TBnuPJAsbF%2Ba93uYQmADkBm0eiGuiuCIWzs7SzbIRJevzjiJuE6krpRWr7aUryweUKpd77zb8Z%2BY38ENLOCZQWHfdFwktgxeVi6l9tjQdTJ6b1q%2BKN2vTZi0QDWPF6rmh4x6%2BacoSYil4g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ea852255f4299c8-CDG
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request40.183.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
POSThttp://wecan.hasthe.technology/upload2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85485
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------480c7e31173f3bb8
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 30 Nov 2024 06:09:10 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L%2BxyaPCxF4yWBtTEiLQelBd0KqemPWEZt9bF4nGYgHxL6qidVs%2FWftpeSBZjGIAcbyCmvNHYk1vRyqLwCzkrkFUnmT9%2FfeZ4JyfVJZw%2BeKc2ucdL%2BZ7beThuGEvlOaYOwAMzzO6oE7nhJA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ea852e2be66d0a4-CDG
-
POSThttp://wecan.hasthe.technology/upload2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exeRemote address:172.67.183.40:80RequestPOST /upload HTTP/1.1
Host: wecan.hasthe.technology
Accept: */*
Content-Length: 85485
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------db6aeb0185558437
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 30 Nov 2024 06:09:40 GMT
Location: https://computernewb.com/collab-vm/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=63JlpfYzkNUIVVIbYlkL1ibb1Lz3pT0yo89JXMx6pRkLLLslvA1RpcYAwE0xt9V9JBvcn2ME%2Bcm1V5kaKLzrxYa0TeQIbecIqLDjyiTg%2FHFI24Guxfxtaoi20bnFZqZ3DGmbjsOajbgEMw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ea853a03e22edf2-LHR
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe88.6kB 3.3kB 71 61
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe88.5kB 2.1kB 69 32
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301 -
172.67.183.40:80http://wecan.hasthe.technology/uploadhttp2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe88.6kB 2.4kB 71 40
HTTP Request
POST http://wecan.hasthe.technology/uploadHTTP Response
301
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
8.8.8.8:53wecan.hasthe.technologydns2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe69 B 101 B 1 1
DNS Request
wecan.hasthe.technology
DNS Response
172.67.183.40104.21.59.199
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
40.183.67.172.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5590592d57a8428eb52fb8e4edd87ae2b
SHA1704c15cb9670d891163bd5510e36ff1978363441
SHA2567ebf01ade95f991b6efb5e7d01d9b4f963bf7bba44c423c5ffa0181c915ffea4
SHA512f5c8337785ca6b12fbf97e52f4bf0ce7d6b5c1dff93bf942e8c2b53c13062bf3b88065614ff0f124d5d85a9def812aa93f8a9d0678512be27ea0eb66927f69b6