Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 10:46

General

  • Target

    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe

  • Size

    1.7MB

  • MD5

    1162bebd28f3ebee8f16363b04c268f5

  • SHA1

    74683760841442ad7d18a7d4b4aa0b41896d130b

  • SHA256

    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c

  • SHA512

    f1c4ddec33055d6bdd780b5c2f28f0b0c642df50817d53eb5692e44a71e6e20e0dd402034551e80be19cc3ac663fc83638d4989c72b5920de008d207abb747b7

  • SSDEEP

    24576:vmQn8AtHx3OXiORxXpv9aRmqZhm9tChfKsKNDSVXT5XUjlkyaQ:vm8tHAXV3Xp2m6h0UfKszXT5XUjG1Q

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    "C:\Users\Admin\AppData\Local\Temp\7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4808

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    flingtrainer.com
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    Remote address:
    8.8.8.8:53
    Request
    flingtrainer.com
    IN A
    Response
    flingtrainer.com
    IN A
    104.26.14.72
    flingtrainer.com
    IN A
    104.26.15.72
    flingtrainer.com
    IN A
    172.67.73.26
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    Remote address:
    104.26.14.72:443
    Request
    GET /wp-content/check-for-trainer-update/get-trainer-update HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 10:47:01 GMT
    Content-Length: 6
    Connection: keep-alive
    vary: User-Agent
    last-modified: Tue, 09 May 2023 12:34:22 GMT
    etag: "6-5fb41f9908f80"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=42VemqF%2BlLA8Rm%2BvaMwa6anVw34iZwxiYQmD74ZlX9ae9VrY6yBVjOANHe9lmenBMU6fhtl86GslGNOUEVirKVb2zN%2F6zvbEL20MhNZIxcLuueQphIe3KEdSS91mc%2FlYqiw%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 907fec263db635dd-LHR
    server-timing: cfL4;desc="?proto=TCP&rtt=47321&min_rtt=46967&rtt_var=7637&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3299&recv_bytes=427&delivery_rate=85743&cwnd=253&unsent_bytes=0&cid=c5f926677c18bd48&ts=698&x=0"
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/assassins-creed-origins-trainer
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    Remote address:
    104.26.14.72:443
    Request
    GET /wp-content/check-for-trainer-update/assassins-creed-origins-trainer HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 10:47:02 GMT
    Content-Length: 11
    Connection: keep-alive
    vary: User-Agent
    last-modified: Tue, 30 Jan 2024 05:16:06 GMT
    etag: "b-61022dc0453ce"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y8U0wxzcDlpuJkQWd3S5OF4VblE9cw4hTs%2BCjeZIvfHTC0Ogo5Zyx5B3iPwJ1pCqhi%2BiqU6jKXeeYaY3vqczRTDJq2AY1BS3j5ItkAOjMPib2uNiO%2FBXTNyzw6hsHD0JL88%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 907fec2e7e2c35dd-LHR
    server-timing: cfL4;desc="?proto=TCP&rtt=47255&min_rtt=46792&rtt_var=5860&sent=8&recv=11&lost=0&retrans=0&sent_bytes=4338&recv_bytes=591&delivery_rate=85743&cwnd=254&unsent_bytes=0&cid=c5f926677c18bd48&ts=1778&x=0"
  • flag-us
    DNS
    c.pki.goog
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sun, 26 Jan 2025 10:41:13 GMT
    Expires: Sun, 26 Jan 2025 11:31:13 GMT
    Cache-Control: public, max-age=3000
    Age: 347
    Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sun, 26 Jan 2025 10:45:01 GMT
    Expires: Sun, 26 Jan 2025 11:35:01 GMT
    Cache-Control: public, max-age=3000
    Age: 119
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    72.14.26.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.14.26.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    227.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.187.250.142.in-addr.arpa
    IN PTR
    Response
    227.187.250.142.in-addr.arpa
    IN PTR
    lhr25s34-in-f31e100net
  • flag-us
    DNS
    5.114.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.114.82.104.in-addr.arpa
    IN PTR
    Response
    5.114.82.104.in-addr.arpa
    IN PTR
    a104-82-114-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.238.56.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.238.56.23.in-addr.arpa
    IN PTR
    Response
    88.238.56.23.in-addr.arpa
    IN PTR
    a23-56-238-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 104.26.14.72:443
    https://flingtrainer.com/wp-content/check-for-trainer-update/assassins-creed-origins-trainer
    tls, http
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    1.1kB
    5.8kB
    12
    10

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

    HTTP Response

    200

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/assassins-creed-origins-trainer

    HTTP Response

    200
  • 142.250.187.227:80
    http://c.pki.goog/r/r4.crl
    http
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    602 B
    3.9kB
    8
    6

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    181.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    181.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    flingtrainer.com
    dns
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    62 B
    110 B
    1
    1

    DNS Request

    flingtrainer.com

    DNS Response

    104.26.14.72
    104.26.15.72
    172.67.73.26

  • 8.8.8.8:53
    c.pki.goog
    dns
    7ba917f33035a91756dcd5d4812314af445e10abad4bb213b8c530f7521d479c.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.227

  • 8.8.8.8:53
    72.14.26.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    72.14.26.104.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    227.187.250.142.in-addr.arpa
    dns
    74 B
    112 B
    1
    1

    DNS Request

    227.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    5.114.82.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    5.114.82.104.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    154.239.44.20.in-addr.arpa

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    88.238.56.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    88.238.56.23.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4808-0-0x00007FFBBD683000-0x00007FFBBD685000-memory.dmp

    Filesize

    8KB

  • memory/4808-1-0x00000231EF200000-0x00000231EF234000-memory.dmp

    Filesize

    208KB

  • memory/4808-2-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/4808-3-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/4808-4-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/4808-5-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/4808-6-0x00000231F1880000-0x00000231F1888000-memory.dmp

    Filesize

    32KB

  • memory/4808-8-0x00000231F18D0000-0x00000231F18DE000-memory.dmp

    Filesize

    56KB

  • memory/4808-7-0x00000231F1900000-0x00000231F1938000-memory.dmp

    Filesize

    224KB

  • memory/4808-21-0x00007FFBBD683000-0x00007FFBBD685000-memory.dmp

    Filesize

    8KB

  • memory/4808-22-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/4808-23-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/4808-24-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.