f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14/12/2023, 20:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
Size

1.7MB
MD5

100c7080888f38bb0fa57d3380b0c9dc
SHA1

1b791a5b09e883f388ab06f56a22823743ab483a
SHA256

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73
SHA512

7ac3c8bde8282a92bdba737211c5caf70d9949045e7f1e03d4afb0b9c8aec38d0fb695de7fad8bf0ed394a955f144642f5ba1b855613b6437da3c75cb49c76a9
SSDEEP

24576:u2QpUGbjXOnUxvF6FxoP0E8/7jKeRZMZPjyN4DSVXT5Xf5qqya:u2EbYUx96FxNEA7jL4WN9XT5XRv1

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
Token: SeDebugPrivilege	2016	f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

C:\Users\Admin\AppData\Local\Temp\f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe
"C:\Users\Admin\AppData\Local\Temp\f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

DNS

flingtrainer.com

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Remote address:

8.8.8.8:53

Request

flingtrainer.com

IN A

Response

flingtrainer.com

IN A

188.114.97.2

flingtrainer.com

IN A

188.114.96.2
GET

https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Remote address:

188.114.97.2:443

Request

GET /wp-content/check-for-trainer-update/get-trainer-update HTTP/1.1
User-Agent: FLiNGTrainer
Host: flingtrainer.com

Response

HTTP/1.1 200 OK

Date: Thu, 14 Dec 2023 20:01:07 GMT
Content-Length: 6
Connection: keep-alive
last-modified: Tue, 09 May 2023 12:34:22 GMT
etag: "6-5fb41f9908f80"
accept-ranges: bytes
Cache-Control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gADoKXF1y8gfVuY%2BR%2FU3LKS0FHKkj9GhGnGkbF1tbfI%2FQwzcwUgkxspuD%2BRsNlC44Jc3VWDjsGNHn9uOMMg%2FxaxRzYuNj2XVtt73WfMYU%2BNpRlGaAEb1VTwlb7kF1kclGH8m"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8359096fa9f323e9-LHR
alt-svc: h3=":443"; ma=86400
DNS

apps.identrust.com

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.17.179.184

a1952.dscq.akamai.net

IN A

96.17.179.205
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Remote address:

96.17.179.184:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Thu, 14 Dec 2023 21:01:05 GMT
Date: Thu, 14 Dec 2023 20:01:05 GMT
Connection: keep-alive
DNS

x2.c.lencr.org

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

104.103.158.127
GET

http://x2.c.lencr.org/

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Remote address:

104.103.158.127:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT
ETag: "64cd6654-12c"
Cache-Control: max-age=3600
Expires: Thu, 14 Dec 2023 21:01:06 GMT
Date: Thu, 14 Dec 2023 20:01:06 GMT
Content-Length: 300
Connection: keep-alive
GET

https://flingtrainer.com/wp-content/check-for-trainer-update/wo-long-fallen-dynasty-trainer

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

Remote address:

188.114.97.2:443

Request

GET /wp-content/check-for-trainer-update/wo-long-fallen-dynasty-trainer HTTP/1.1
User-Agent: FLiNGTrainer
Host: flingtrainer.com

Response

HTTP/1.1 200 OK

Date: Thu, 14 Dec 2023 20:01:08 GMT
Content-Length: 12
Connection: keep-alive
last-modified: Thu, 14 Dec 2023 18:17:17 GMT
etag: "c-60c7c4b348604"
accept-ranges: bytes
Cache-Control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=R5rsf%2Fbb0npvUYqOc8mWHek1XxBVO5HfWbJyR0MXfHBxuplGE3KRd46rRm0KD%2F9ysLig6P8HnMtP5IThPsAfm5LK5UCQD7vbNzrhm2BATyNDW3lyTuwovx7dRn8DOFe31UPJ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8359097598ed0712-LHR
alt-svc: h3=":443"; ma=86400

188.114.97.2:443

https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

tls, http

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

950 B
7.0kB
11
11

HTTP Request

GET https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

HTTP Response

200
96.17.179.184:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

421 B
1.6kB
6
5

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
104.103.158.127:80

http://x2.c.lencr.org/

http

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

396 B
1.4kB
6
4

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200
188.114.97.2:443

https://flingtrainer.com/wp-content/check-for-trainer-update/wo-long-fallen-dynasty-trainer

tls, http

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

902 B
7.0kB
9
11

HTTP Request

GET https://flingtrainer.com/wp-content/check-for-trainer-update/wo-long-fallen-dynasty-trainer

HTTP Response

200

8.8.8.8:53

flingtrainer.com

dns

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

62 B
94 B
1
1

DNS Request

flingtrainer.com

DNS Response

188.114.97.2

188.114.96.2
8.8.8.8:53

apps.identrust.com

dns

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

96.17.179.184

96.17.179.205
8.8.8.8:53

x2.c.lencr.org

dns

f31c1587e95ca26a03d4b0609925750c4a55cbfd4b302324c9a2e030e589ac73.exe

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

104.103.158.127

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee89f2549b22ccc844863a46ae2bca60

SHA1
456d69d35a470e834ef35fc294d5ad2491584abe

SHA256
04c6eda9f273a1469592f190c9d20d75e001d1d4a83ec58095debbce27baecb7

SHA512
f3ca757924f4ff5b65e4fa55afb6f035f303f5c779d6f55057324b0d40dd13fdc7a3c4164c6e78b7a0566fc0005f79cd84e886be4d2a20197c6785fe08bebbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5717.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5866.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2016-3-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2016-5-0x0000000001DB0000-0x0000000001DBA000-memory.dmp

Filesize
40KB

Download
memory/2016-4-0x0000000001DB0000-0x0000000001DBA000-memory.dmp

Filesize
40KB

Download
memory/2016-10-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2016-6-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2016-0-0x0000000001D60000-0x0000000001D94000-memory.dmp

Filesize
208KB

Download
memory/2016-2-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2016-1-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-157-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-158-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2016-159-0x0000000001DB0000-0x0000000001DBA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.