Analysis

  • max time kernel
    111s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/11/2024, 05:08 UTC

General

  • Target

    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe

  • Size

    83KB

  • MD5

    ec47b2e3a439d4b1ba2df376fa7f6350

  • SHA1

    ca00f5f5957901a39933d8a0652b2ac7667a709c

  • SHA256

    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880

  • SHA512

    a7872cdbec2b637569a758a6a32dc82a1080f25c7d942bb0fb9962cf18bee709fdc3072abc66c61194664485d742753b5c29c886a39b762f2383d602341eab54

  • SSDEEP

    1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+fKu:LJ0TAz6Mte4A+aaZx8EnCGVuff

Score
5/10

Malware Config

Signatures

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    "C:\Users\Admin\AppData\Local\Temp\2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1668

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    wecan.hasthe.technology
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    Remote address:
    8.8.8.8:53
    Request
    wecan.hasthe.technology
    IN A
    Response
    wecan.hasthe.technology
    IN A
    172.67.183.40
    wecan.hasthe.technology
    IN A
    104.21.59.199
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85485
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------a75ee7f6f8994358
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 30 Nov 2024 05:08:40 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 30 Nov 2024 06:08:40 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TBnuPJAsbF%2Ba93uYQmADkBm0eiGuiuCIWzs7SzbIRJevzjiJuE6krpRWr7aUryweUKpd77zb8Z%2BY38ENLOCZQWHfdFwktgxeVi6l9tjQdTJ6b1q%2BKN2vTZi0QDWPF6rmh4x6%2BacoSYil4g%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ea852255f4299c8-CDG
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    40.183.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.183.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85485
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------480c7e31173f3bb8
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 30 Nov 2024 05:09:10 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 30 Nov 2024 06:09:10 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L%2BxyaPCxF4yWBtTEiLQelBd0KqemPWEZt9bF4nGYgHxL6qidVs%2FWftpeSBZjGIAcbyCmvNHYk1vRyqLwCzkrkFUnmT9%2FfeZ4JyfVJZw%2BeKc2ucdL%2BZ7beThuGEvlOaYOwAMzzO6oE7nhJA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ea852e2be66d0a4-CDG
  • flag-us
    POST
    http://wecan.hasthe.technology/upload
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    Remote address:
    172.67.183.40:80
    Request
    POST /upload HTTP/1.1
    Host: wecan.hasthe.technology
    Accept: */*
    Content-Length: 85485
    Expect: 100-continue
    Content-Type: multipart/form-data; boundary=------------------------db6aeb0185558437
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 30 Nov 2024 05:09:40 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 30 Nov 2024 06:09:40 GMT
    Location: https://computernewb.com/collab-vm/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=63JlpfYzkNUIVVIbYlkL1ibb1Lz3pT0yo89JXMx6pRkLLLslvA1RpcYAwE0xt9V9JBvcn2ME%2Bcm1V5kaKLzrxYa0TeQIbecIqLDjyiTg%2FHFI24Guxfxtaoi20bnFZqZ3DGmbjsOajbgEMw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ea853a03e22edf2-LHR
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    88.6kB
    3.3kB
    71
    61

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    88.5kB
    2.1kB
    69
    32

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 172.67.183.40:80
    http://wecan.hasthe.technology/upload
    http
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    88.6kB
    2.4kB
    71
    40

    HTTP Request

    POST http://wecan.hasthe.technology/upload

    HTTP Response

    301
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    wecan.hasthe.technology
    dns
    2283a75d3ab26c435c0924adf7a591067e0f59cf0b39fd646516e94e5c236880N.exe
    69 B
    101 B
    1
    1

    DNS Request

    wecan.hasthe.technology

    DNS Response

    172.67.183.40
    104.21.59.199

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    40.183.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    40.183.67.172.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rifaien2-Sy8A007GIs7Yhy6O.exe

    Filesize

    83KB

    MD5

    590592d57a8428eb52fb8e4edd87ae2b

    SHA1

    704c15cb9670d891163bd5510e36ff1978363441

    SHA256

    7ebf01ade95f991b6efb5e7d01d9b4f963bf7bba44c423c5ffa0181c915ffea4

    SHA512

    f5c8337785ca6b12fbf97e52f4bf0ce7d6b5c1dff93bf942e8c2b53c13062bf3b88065614ff0f124d5d85a9def812aa93f8a9d0678512be27ea0eb66927f69b6

  • memory/1668-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1668-2-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1668-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1668-9-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1668-16-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1668-23-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.