e783e443dea1898fb87cbf0fedf713afdf38947b9677c2a428fd8e02e725f297

Analysis

max time kernel
64s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cyberpunk 2077 v1.03-v1.5 Plus 32 Trainer.exe
Size

1.4MB
MD5

fe94c9259ac762233bf198684cf322b6
SHA1

a07a7d3a357fa600454dec4f666a556f61fdfb31
SHA256

e783e443dea1898fb87cbf0fedf713afdf38947b9677c2a428fd8e02e725f297
SHA512

037e6e7a3954a97068749a1570daf7f3b1e43cabd02b867a2261976e07b44228e3ba52de39a42985d12f672523bae0aef92b92be8a440c8ddaef94f9bf833eb3
SSDEEP

24576:ocsy+D0ZuWkZS/NNA7pOThy1pyQTKDy9QUbJ7eDSRSWag:F+MuWkZW27p8hyGQ2yuUV7vSWag

Score

3^/10

Malware Config

Signatures

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4320	1776	WerFault.exe	81
3088	1776	WerFault.exe	81

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3636	ipconfig.exe
1188	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	Cyberpunk 2077 v1.03-v1.5 Plus 32 Trainer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3636	4316	cmd.exe	106
PID 4316 wrote to memory of 3636	4316	cmd.exe	106
PID 4316 wrote to memory of 1188	4316	cmd.exe	109
PID 4316 wrote to memory of 1188	4316	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\Cyberpunk 2077 v1.03-v1.5 Plus 32 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Cyberpunk 2077 v1.03-v1.5 Plus 32 Trainer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1776 -s 1168
  2⤵
  - Program crash
  PID:4320
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1776 -s 1208
  2⤵
  - Program crash
  PID:3088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1776 -ip 1776
1⤵
PID:3788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 1776 -ip 1776
1⤵
PID:3948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:3636
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-132-0x00007FFD783E0000-0x00007FFD78EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1776-133-0x00007FFD783E0000-0x00007FFD78EA1000-memory.dmp

Filesize
10.8MB

Download