d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 23:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
Size

1.7MB
MD5

8c236172b855d90bba67cc061bc06b7c
SHA1

ed880bcf3aaa21b542a2b781524a21e285d70363
SHA256

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e
SHA512

edd704b8ef615076704676b82493e8e99a7043332ddf3f7479aa6f9a5e3cde3ce8b184f06eb450c1cae4a7b0af47a25653172c320e2123c58cbc584515353c3e
SSDEEP

49152:1kfKSSrSgRjrcGNvInXZJqXT5X+VlC51/:4SrSo/InXZJqD5OVlo1/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

C:\Users\Admin\AppData\Local\Temp\d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe
"C:\Users\Admin\AppData\Local\Temp\d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

flingtrainer.com

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

Remote address:

8.8.8.8:53

Request

flingtrainer.com

IN A

Response

flingtrainer.com

IN A

104.21.85.118

flingtrainer.com

IN A

172.67.205.150
GET

https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

Remote address:

104.21.85.118:443

Request

GET /wp-content/check-for-trainer-update/get-trainer-update HTTP/1.1
User-Agent: FLiNGTrainer
Host: flingtrainer.com

Response

HTTP/1.1 200 OK

Date: Thu, 01 Feb 2024 23:33:00 GMT
Content-Length: 6
Connection: keep-alive
last-modified: Tue, 09 May 2023 12:34:22 GMT
etag: "6-5fb41f9908f80"
accept-ranges: bytes
Cache-Control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OdlVNsXZWz0mtBF6pGxE73FSylOi9mulT6FW5y1Ea4d86Yep7QqqEisDx2IaLb37QRRzeh4HpOhO4DNpK3crqEUkUlZJyaLtv1JWtq7YPw5Jr3ZSKWU2EZOzVZeE5xZYjgz4"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84edff34d96363f2-LHR
alt-svc: h3=":443"; ma=86400
GET

https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-4-trainer

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

Remote address:

104.21.85.118:443

Request

GET /wp-content/check-for-trainer-update/resident-evil-4-trainer HTTP/1.1
User-Agent: FLiNGTrainer
Host: flingtrainer.com

Response

HTTP/1.1 200 OK

Date: Thu, 01 Feb 2024 23:33:01 GMT
Content-Length: 12
Connection: keep-alive
last-modified: Tue, 26 Sep 2023 05:18:33 GMT
etag: "c-6063c34befc40"
accept-ranges: bytes
Cache-Control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sm0O6pSyoI5FOvTwoMnQGkL9%2FC2eYeneQ5%2FnH7kUNTRThMRazE6s1yj75GqG5%2FkmTRTKg6CSa3%2B7m3LZxoKRVvaC5184gXrBsEWmGTvajEjQJ6FZ80AhVQVKp7Nl3BOrPoOI"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84edff3d3b9063f2-LHR
alt-svc: h3=":443"; ma=86400
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

x2.c.lencr.org

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

173.222.13.40
GET

http://x2.c.lencr.org/

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

Remote address:

173.222.13.40:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT
ETag: "64cd6654-12c"
Cache-Control: max-age=3600
Expires: Fri, 02 Feb 2024 00:33:00 GMT
Date: Thu, 01 Feb 2024 23:33:00 GMT
Content-Length: 300
Connection: keep-alive
DNS

118.85.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.85.21.104.in-addr.arpa

IN PTR

Response
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

40.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.13.222.173.in-addr.arpa

IN PTR

Response

40.13.222.173.in-addr.arpa

IN PTR

a173-222-13-40deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

178.223.142.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.223.142.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response

23.44.234.16:80

276 B
6
138.91.171.81:80

208 B
4
104.21.85.118:443

https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-4-trainer

tls, http

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

1.2kB
7.1kB
13
11

HTTP Request

GET https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

HTTP Response

200

HTTP Request

GET https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-4-trainer

HTTP Response

200
173.222.13.40:80

http://x2.c.lencr.org/

http

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

391 B
761 B
6
4

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200

8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

flingtrainer.com

dns

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

62 B
94 B
1
1

DNS Request

flingtrainer.com

DNS Response

104.21.85.118

172.67.205.150
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

x2.c.lencr.org

dns

d389814cdc38b9bcc1b251314309f1be70d01de724b4edd3f1df364de1b18d3e.exe

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

173.222.13.40
8.8.8.8:53

118.85.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

118.85.21.104.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

40.13.222.173.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.13.222.173.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

178.223.142.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

178.223.142.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.236.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-2-0x000001DA0FD20000-0x000001DA0FD52000-memory.dmp

Filesize
200KB

Download
memory/884-6-0x000001DA284B0000-0x000001DA284C0000-memory.dmp

Filesize
64KB

Download
memory/884-5-0x00007FF944EA0000-0x00007FF945961000-memory.dmp

Filesize
10.8MB

Download
memory/884-7-0x000001DA284B0000-0x000001DA284C0000-memory.dmp

Filesize
64KB

Download
memory/884-8-0x000001DA284B0000-0x000001DA284C0000-memory.dmp

Filesize
64KB

Download
memory/884-9-0x000001DA2D6C0000-0x000001DA2D6C8000-memory.dmp

Filesize
32KB

Download
memory/884-11-0x000001DA2D6E0000-0x000001DA2D6EE000-memory.dmp

Filesize
56KB

Download
memory/884-10-0x000001DA2DD50000-0x000001DA2DD88000-memory.dmp

Filesize
224KB

Download
memory/884-24-0x00007FF944EA0000-0x00007FF945961000-memory.dmp

Filesize
10.8MB

Download
memory/884-25-0x000001DA284B0000-0x000001DA284C0000-memory.dmp

Filesize
64KB

Download
memory/884-26-0x000001DA284B0000-0x000001DA284C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.