Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2025, 20:00 UTC

General

  • Target

    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe

  • Size

    1.4MB

  • MD5

    f8720dd2c07bdb66761ac7b54760aaaf

  • SHA1

    b3e1d4137352e4fddcf99d6681702252c32e5d25

  • SHA256

    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954

  • SHA512

    baa1a60cc793f518e2d9e4570c410d74b3093d2e8d42221acd15eee1d9f943baa879910b8ff6f83112f80a268627404fdeaef8d7c7996f6b4c954f016c7ff1b4

  • SSDEEP

    24576:N9/QSW61N8Lqpgz7R0Ahn5nRQfbJ7MiYPDS/R:OeyepURPh5nRQfV7D

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    "C:\Users\Admin\AppData\Local\Temp\84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:448

Network

  • flag-us
    DNS
    131.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    131.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    131.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    131.160.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    103.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.209.201.84.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    flingtrainer.com
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    Remote address:
    8.8.8.8:53
    Request
    flingtrainer.com
    IN A
    Response
    flingtrainer.com
    IN A
    104.26.15.72
    flingtrainer.com
    IN A
    104.26.14.72
    flingtrainer.com
    IN A
    172.67.73.26
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/hades-trainer
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    Remote address:
    104.26.15.72:443
    Request
    GET /wp-content/check-for-trainer-update/hades-trainer HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 30 Jan 2025 20:00:55 GMT
    Content-Length: 11
    Connection: keep-alive
    vary: User-Agent
    last-modified: Fri, 03 Sep 2021 00:43:16 GMT
    etag: "b-5cb0c95c03100"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9mqI%2B7nzMb3L8HZW2XGBOYVoGKfCX%2FrdM3FKJfC43vpQcv1slSmchjH4BxwavKacKfzAa0siKtM9ahiyjeVsszLHAPuaf4gARmLt0pqf9S9b3GfWuBLEzJP8nxJ1P5EBOck%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90a40d0b3d3f3db2-LHR
    server-timing: cfL4;desc="?proto=TCP&rtt=28497&min_rtt=28497&rtt_var=14248&sent=11&recv=8&lost=0&retrans=4&sent_bytes=6596&recv_bytes=422&delivery_rate=6890&cwnd=254&unsent_bytes=0&cid=37b84f04aecc59cb&ts=2858&x=0"
  • flag-us
    DNS
    c.pki.goog
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.227
  • flag-us
    DNS
    c.pki.goog
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
  • flag-us
    DNS
    72.15.26.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.15.26.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.15.26.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.15.26.104.in-addr.arpa
    IN PTR
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    Remote address:
    142.250.179.227:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 30 Jan 2025 19:24:09 GMT
    Expires: Thu, 30 Jan 2025 20:14:09 GMT
    Cache-Control: public, max-age=3000
    Age: 2206
    Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    Remote address:
    142.250.179.227:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 30 Jan 2025 19:24:07 GMT
    Expires: Thu, 30 Jan 2025 20:14:07 GMT
    Cache-Control: public, max-age=3000
    Age: 2208
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    227.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.179.250.142.in-addr.arpa
    IN PTR
    Response
    227.179.250.142.in-addr.arpa
    IN PTR
    lhr25s31-in-f31e100net
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 104.26.15.72:443
    https://flingtrainer.com/wp-content/check-for-trainer-update/hades-trainer
    tls, http
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    1.1kB
    6.5kB
    13
    11

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/hades-trainer

    HTTP Response

    200
  • 142.250.179.227:80
    http://c.pki.goog/r/r4.crl
    http
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    706 B
    5.1kB
    10
    8

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 8.8.8.8:53
    131.160.190.20.in-addr.arpa
    dns
    146 B
    159 B
    2
    1

    DNS Request

    131.160.190.20.in-addr.arpa

    DNS Request

    131.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    103.209.201.84.in-addr.arpa
    dns
    146 B
    133 B
    2
    1

    DNS Request

    103.209.201.84.in-addr.arpa

    DNS Request

    103.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    flingtrainer.com
    dns
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    62 B
    110 B
    1
    1

    DNS Request

    flingtrainer.com

    DNS Response

    104.26.15.72
    104.26.14.72
    172.67.73.26

  • 8.8.8.8:53
    c.pki.goog
    dns
    84a7fcdb4f44190092e6ec8b4a7a0aa40f1b61943a78c6bfd75055e7b5089954.exe
    112 B
    107 B
    2
    1

    DNS Request

    c.pki.goog

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.227

  • 8.8.8.8:53
    72.15.26.104.in-addr.arpa
    dns
    142 B
    133 B
    2
    1

    DNS Request

    72.15.26.104.in-addr.arpa

    DNS Request

    72.15.26.104.in-addr.arpa

  • 8.8.8.8:53
    227.179.250.142.in-addr.arpa
    dns
    74 B
    112 B
    1
    1

    DNS Request

    227.179.250.142.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    142 B
    157 B
    2
    1

    DNS Request

    56.163.245.4.in-addr.arpa

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    171.39.242.20.in-addr.arpa

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    210 B
    133 B
    3
    1

    DNS Request

    98.117.19.2.in-addr.arpa

    DNS Request

    98.117.19.2.in-addr.arpa

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/448-0-0x00007FF836EB3000-0x00007FF836EB5000-memory.dmp

    Filesize

    8KB

  • memory/448-1-0x000001C3F18E0000-0x000001C3F1912000-memory.dmp

    Filesize

    200KB

  • memory/448-2-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-3-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-6-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-8-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-15-0x00007FF836EB3000-0x00007FF836EB5000-memory.dmp

    Filesize

    8KB

  • memory/448-16-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-17-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-18-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-19-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

  • memory/448-20-0x00007FF836EB0000-0x00007FF837971000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.