Overview

overview

10

Static

static

10

a1d45b7b7f...39.exe

windows7-x64

1

a1d45b7b7f...39.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2023, 10:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe

  • Size

    1.5MB

  • MD5

    aab6f799cfd3227988175963f7033304

  • SHA1

    b31bf91063611716c1e9fdfb4be9f38671717746

  • SHA256

    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539

  • SHA512

    ebdeacdaf6003651db7c532520cbeabb7757f64110c576f12c07fbc69bb09f9a3a3b6e2b59bb1ca12005469a6d2ce61318af6fd3878fb9aa0f999b01ffb13f19

  • SSDEEP

    24576:WmMFxPqRfhqoVv0C/1Hdkeya3AWOENDSVXT5X3:6xyRfhqoCC1dr1w4SXT5X

Score
1/10

Malware Config

Signatures

  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    "C:\Users\Admin\AppData\Local\Temp\a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1888

Network

  • flag-us
    DNS
    flingtrainer.com
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    Remote address:
    8.8.8.8:53
    Request
    flingtrainer.com
    IN A
    Response
    flingtrainer.com
    IN A
    188.114.96.0
    flingtrainer.com
    IN A
    188.114.97.0
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    Remote address:
    188.114.96.0:443
    Request
    GET /wp-content/check-for-trainer-update/get-trainer-update HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 20 Oct 2023 10:06:41 GMT
    Content-Length: 6
    Connection: keep-alive
    last-modified: Tue, 09 May 2023 12:34:22 GMT
    etag: "6-5fb41f9908f80"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cIXmR5NKNNNbIUauKCb0W5%2FTlXc0QgkNG93BZnXEDgNcfI4mQNgEfMg0qwt6a8aUelHvtSWe6UM%2BPeLa2h5%2BBQIA3KLeXS6HsjnNVvgwH5rGrntsDKe88yOkt450tG7e7G%2Fj"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 81907310389c0e81-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/gui-gu-ba-huang-trainer
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    Remote address:
    188.114.96.0:443
    Request
    GET /wp-content/check-for-trainer-update/gui-gu-ba-huang-trainer HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Fri, 20 Oct 2023 10:06:41 GMT
    Content-Length: 12
    Connection: keep-alive
    last-modified: Fri, 20 Oct 2023 09:16:01 GMT
    etag: "c-60822523d786e"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g%2BseyBB1qudeon0ZJqEOoL10xhOL2e1mkJGgq4Mg7jqAJ8jNVsY1i3%2BJhZq43xhoejWSwmN7gaH8FSFV8qSfFrSQqieBTYuRpIhvFmXkDZ9MwGyly1I25Bj13jhFC5u5o2cX"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8190731778290e81-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    apps.identrust.com
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    88.221.25.169
    a1952.dscq.akamai.net
    IN A
    88.221.25.153
  • flag-nl
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    Remote address:
    88.221.25.169:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Fri, 20 Oct 2023 11:06:40 GMT
    Date: Fri, 20 Oct 2023 10:06:40 GMT
    Connection: keep-alive
  • flag-us
    DNS
    x2.c.lencr.org
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    23.42.174.147
  • flag-hk
    GET
    http://x2.c.lencr.org/
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    Remote address:
    23.42.174.147:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT
    ETag: "64cd6654-12c"
    Cache-Control: max-age=3600
    Expires: Fri, 20 Oct 2023 11:06:40 GMT
    Date: Fri, 20 Oct 2023 10:06:40 GMT
    Content-Length: 300
    Connection: keep-alive
  • 188.114.96.0:443
    https://flingtrainer.com/wp-content/check-for-trainer-update/gui-gu-ba-huang-trainer
    tls, http
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    1.1kB
     7.0kB
     11
    11

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

    HTTP Response

    200

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/gui-gu-ba-huang-trainer

    HTTP Response

    200
  • 88.221.25.169:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    369 B
     1.6kB
     5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 23.42.174.147:80
    http://x2.c.lencr.org/
    http
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    350 B
     1.4kB
     5
    4

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 8.8.8.8:53
    flingtrainer.com
    dns
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    62 B
     94 B
     1
    1

    DNS Request

    flingtrainer.com

    DNS Response

    188.114.96.0
    188.114.97.0

  • 8.8.8.8:53
    apps.identrust.com
    dns
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    64 B
     165 B
     1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    88.221.25.169
    88.221.25.153

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    a1d45b7b7fa32bbc504f5bb9a2c2d08666b69f34b62ac5e8bd2797e27da07539.exe
    60 B
     165 B
     1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    23.42.174.147

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    26220f7137c20d1e550af0dac688b4a3

    SHA1

    8f7404c27e4c0056ed4afa4ba9e403202e040d07

    SHA256

    f0241f84f1802eb466ef761e5b470517b2adc484412ca0cf0d92704875cf487c

    SHA512

    fdd96d8776a0107a80c411a0a1f3ee43ed5d739be5e7679b27926bd351a3ba369aa23e552af1c2a1971d42b2c132c921ba567d3856c001f4eaf3f66efb5a6df6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab758F.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar75C1.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit

  • memory/1888-6-0x000000001B1C0000-0x000000001B240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1888-0-0x0000000000340000-0x0000000000374000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1888-5-0x0000000001D30000-0x0000000001D3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1888-4-0x0000000001D30000-0x0000000001D3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1888-2-0x000000001B1C0000-0x000000001B240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1888-3-0x000000001B1C0000-0x000000001B240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1888-1-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1888-97-0x000000001B1C0000-0x000000001B240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1888-101-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1888-102-0x000000001B1C0000-0x000000001B240000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1888-103-0x0000000001D30000-0x0000000001D3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1888-104-0x0000000001D30000-0x0000000001D3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1888-105-0x000000001B1C0000-0x000000001B240000-memory.dmp

    Filesize

    512KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.