280e4c799abfcdf0bcc5782c1fc2eb2ef7fc418088f5a6dea2e390909629ecf8

Analysis

max time kernel
111s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2023, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FLiNGTrainer_setup.exe
Size

21.4MB
MD5

e279975459d911e7b0a928c850165078
SHA1

b0564bc8e281879993fa1b6a8c5ed1f360c9a465
SHA256

280e4c799abfcdf0bcc5782c1fc2eb2ef7fc418088f5a6dea2e390909629ecf8
SHA512

9156011eb458f82b148d8eff98358406376ee917fddbf52bd7f0d0b5dd0cca96797ecaef6986bbb06a81fbe96f748ba2343e057b5fa4cef73c8c920020a4eab2
SSDEEP

393216:Im1jFCP1pk2yKdNxExEa6yweCa8eokjaI71QSNlg8kQEUiPQiZ:Im1jFCdtdNxExEa5B8eoYaI7Cow

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe
2328	FLiNGTrainer_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1728	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
956	taskkill.exe
5084	taskkill.exe
1684	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 956	2328	FLiNGTrainer_setup.exe	84
PID 2328 wrote to memory of 956	2328	FLiNGTrainer_setup.exe	84
PID 2328 wrote to memory of 956	2328	FLiNGTrainer_setup.exe	84
PID 2328 wrote to memory of 5084	2328	FLiNGTrainer_setup.exe	86
PID 2328 wrote to memory of 5084	2328	FLiNGTrainer_setup.exe	86
PID 2328 wrote to memory of 5084	2328	FLiNGTrainer_setup.exe	86
PID 2328 wrote to memory of 1684	2328	FLiNGTrainer_setup.exe	88
PID 2328 wrote to memory of 1684	2328	FLiNGTrainer_setup.exe	88
PID 2328 wrote to memory of 1684	2328	FLiNGTrainer_setup.exe	88
PID 2328 wrote to memory of 4052	2328	FLiNGTrainer_setup.exe	113
PID 2328 wrote to memory of 4052	2328	FLiNGTrainer_setup.exe	113
PID 2328 wrote to memory of 4052	2328	FLiNGTrainer_setup.exe	113
PID 2328 wrote to memory of 1728	2328	FLiNGTrainer_setup.exe	115
PID 2328 wrote to memory of 1728	2328	FLiNGTrainer_setup.exe	115
PID 2328 wrote to memory of 1728	2328	FLiNGTrainer_setup.exe	115

C:\Users\Admin\AppData\Local\Temp\FLiNGTrainer_setup.exe
"C:\Users\Admin\AppData\Local\Temp\FLiNGTrainer_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im FLiNGTrainer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im iPDFUpdate.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im starterSetup.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn FLiNGTrainerUpdateSvr{7C2FF28C-154F-445D-8A6F-48A9ADB09AA2} /F
  2⤵
  PID:4052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn FLiNGTrainerUpdateSvr{7C2FF28C-154F-445D-8A6F-48A9ADB09AA2} /xml "C:\Users\Admin\AppData\Local\FLiNGTrainer\FLiNGTrainerUpdateSvr{7C2FF28C-154F-445D-8A6F-48A9ADB09AA2}.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FLiNGTrainer\InstallReport.dll

Filesize
311KB

MD5
2dc0172b56da47ff3287fb7137b35dc3

SHA1
f2c30d3e213ac95a22e2b16959f2ac48e1215d10

SHA256
7ee74c52c671941725ec769f5b174984ba2631122211b464a2604e3bec8e8192

SHA512
564b1edf8ceaf4b9fa991f65bf5356efbca52c1bb9025e3b480af2c0464158bf6fcfd052a58623ed6d76eef8d0e26ea14e0d360f8a36ec9d847b94f7151559e7

Download Submit
C:\Users\Admin\AppData\Local\FLiNGTrainer\InstallReport.dll

Filesize
311KB

MD5
2dc0172b56da47ff3287fb7137b35dc3

SHA1
f2c30d3e213ac95a22e2b16959f2ac48e1215d10

SHA256
7ee74c52c671941725ec769f5b174984ba2631122211b464a2604e3bec8e8192

SHA512
564b1edf8ceaf4b9fa991f65bf5356efbca52c1bb9025e3b480af2c0464158bf6fcfd052a58623ed6d76eef8d0e26ea14e0d360f8a36ec9d847b94f7151559e7

Download Submit
C:\Users\Admin\AppData\Local\FLiNGTrainer\libReportParam2.dll

Filesize
855KB

MD5
e98827a25c12b94cd301572ce3860388

SHA1
edf18d4838f6e3fbb2ecbb726e02fba69510d446

SHA256
218cc47fde944ea9a7be1f5a2e762a8f74be99944d3c0c02df3dfc7a5babcdfc

SHA512
ac207064eb2428dc978267c28fccfe1ff160d1ac286a24826b7ed24e81c77c0f1466e9f613e9f250b08985f3fa0471713c4c007e451695cd4caac238a3afe800

Download Submit
C:\Users\Admin\AppData\Local\FLiNGTrainer\libReportParam2.dll

Filesize
855KB

MD5
e98827a25c12b94cd301572ce3860388

SHA1
edf18d4838f6e3fbb2ecbb726e02fba69510d446

SHA256
218cc47fde944ea9a7be1f5a2e762a8f74be99944d3c0c02df3dfc7a5babcdfc

SHA512
ac207064eb2428dc978267c28fccfe1ff160d1ac286a24826b7ed24e81c77c0f1466e9f613e9f250b08985f3fa0471713c4c007e451695cd4caac238a3afe800

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\System.dll

Filesize
10KB

MD5
b0a81b7b1bd6bbfe15e609df42791d22

SHA1
1b6f6726740b02aafdbe19cdc7b9dc5a2fdc4f75

SHA256
f9c47cf365f3607bc9abbce76839d02e6309a0d4389f1d2e0efb8d01e32459e9

SHA512
e105e7a3d4a908e59a8c8ab480d228bc4106e93f7fb833e6a5dea5ee0f2757c8617bda181324a059568d4b4c0b72b8628e60cf520c4f1b282305dbb34b5da194

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\System.dll

Filesize
10KB

MD5
b0a81b7b1bd6bbfe15e609df42791d22

SHA1
1b6f6726740b02aafdbe19cdc7b9dc5a2fdc4f75

SHA256
f9c47cf365f3607bc9abbce76839d02e6309a0d4389f1d2e0efb8d01e32459e9

SHA512
e105e7a3d4a908e59a8c8ab480d228bc4106e93f7fb833e6a5dea5ee0f2757c8617bda181324a059568d4b4c0b72b8628e60cf520c4f1b282305dbb34b5da194

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\System.dll

Filesize
10KB

MD5
b0a81b7b1bd6bbfe15e609df42791d22

SHA1
1b6f6726740b02aafdbe19cdc7b9dc5a2fdc4f75

SHA256
f9c47cf365f3607bc9abbce76839d02e6309a0d4389f1d2e0efb8d01e32459e9

SHA512
e105e7a3d4a908e59a8c8ab480d228bc4106e93f7fb833e6a5dea5ee0f2757c8617bda181324a059568d4b4c0b72b8628e60cf520c4f1b282305dbb34b5da194

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\nsDui.dll

Filesize
2.0MB

MD5
ab28e8be30c652ffa26d2c84b2a4f245

SHA1
b2b166b9dbe7111b300fc725db8413507efa244f

SHA256
6efb470e34aa413b35cc5b30850a857a1ec15dc70f9102b7cafe57dd3d2c241d

SHA512
a47b63a0930fa4773abe39395ead7826a62071844120f10e863b7d92d9da5c45dbe62e090d5ec88372f6fce4543f7abb501c30227e588c94128f8c6766e391fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\nsDui.dll

Filesize
2.0MB

MD5
ab28e8be30c652ffa26d2c84b2a4f245

SHA1
b2b166b9dbe7111b300fc725db8413507efa244f

SHA256
6efb470e34aa413b35cc5b30850a857a1ec15dc70f9102b7cafe57dd3d2c241d

SHA512
a47b63a0930fa4773abe39395ead7826a62071844120f10e863b7d92d9da5c45dbe62e090d5ec88372f6fce4543f7abb501c30227e588c94128f8c6766e391fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\nsExec.dll

Filesize
6KB

MD5
2fd10d2f8ae885cc7e34ff21703aef6c

SHA1
7a1862a0240684a423c2d988557ab5b306af85e1

SHA256
e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d

SHA512
fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\nsExec.dll

Filesize
6KB

MD5
2fd10d2f8ae885cc7e34ff21703aef6c

SHA1
7a1862a0240684a423c2d988557ab5b306af85e1

SHA256
e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d

SHA512
fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\nsExec.dll

Filesize
6KB

MD5
2fd10d2f8ae885cc7e34ff21703aef6c

SHA1
7a1862a0240684a423c2d988557ab5b306af85e1

SHA256
e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d

SHA512
fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8524.tmp\nsExec.dll

Filesize
6KB

MD5
2fd10d2f8ae885cc7e34ff21703aef6c

SHA1
7a1862a0240684a423c2d988557ab5b306af85e1

SHA256
e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d

SHA512
fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads