Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2024 13:29

General

  • Target

    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe

  • Size

    1.7MB

  • MD5

    6fe2005fdf5b924231c78f1b7bb042f1

  • SHA1

    a96a4d0e2cf6cace83291b8652faa0b91f2aae76

  • SHA256

    e5d2151bd565352cf2e1a2c37f4cbc1024c493effc97a74562beee531a930148

  • SHA512

    78321b5c05271bdda980fb2a9e5ab41d867e4ee2d9b01c69c6edc9d5d0545dc50e3dbab8d7a05f4206a72b2d287eb3e32fb6dbd32822d8c1f43f1644b6792881

  • SSDEEP

    24576:nzsaxDgTIxf98inWB+s8Kks6WjzWsWQD01uepL0GDSVXT5XCCya:noasIxf98AWB+ik9wzauGLOXT5XCC1

Score
1/10

Malware Config

Signatures

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    "C:\Users\Admin\AppData\Local\Temp\Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

  • flag-us
    DNS
    flingtrainer.com
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    8.8.8.8:53
    Request
    flingtrainer.com
    IN A
    Response
    flingtrainer.com
    IN A
    104.21.85.118
    flingtrainer.com
    IN A
    172.67.205.150
  • flag-us
    DNS
    flingtrainer.com
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    8.8.8.8:53
    Request
    flingtrainer.com
    IN A
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    104.21.85.118:443
    Request
    GET /wp-content/check-for-trainer-update/get-trainer-update HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Tue, 06 Feb 2024 13:30:25 GMT
    Content-Length: 6
    Connection: keep-alive
    last-modified: Tue, 09 May 2023 12:34:22 GMT
    etag: "6-5fb41f9908f80"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5iB%2BgZUG5rnI%2BpcN2guuKtPHIxkSCdE7cARv0lxAWABpOqBi%2B%2FVzYLhpbbcS9KYTqXEKytaL8EYCSG2OoyTyfXciIm7JsEFytAK%2BAB4kIrhYRAowBrFJF9zQL3VXDY4VSY9E"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8513bf623c432411-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://flingtrainer.com/wp-content/check-for-trainer-update/cyberpunk-2077-trainer
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    104.21.85.118:443
    Request
    GET /wp-content/check-for-trainer-update/cyberpunk-2077-trainer HTTP/1.1
    User-Agent: FLiNGTrainer
    Host: flingtrainer.com
    Response
    HTTP/1.1 200 OK
    Date: Tue, 06 Feb 2024 13:30:25 GMT
    Content-Length: 12
    Connection: keep-alive
    last-modified: Sat, 20 Jan 2024 17:34:22 GMT
    etag: "c-60f6401e134e4"
    accept-ranges: bytes
    Cache-Control: no-cache, no-store, must-revalidate
    pragma: no-cache
    expires: 0
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hYncoJ3mOPI7rSySD6eA1gwnFKIHSU1%2FNMxyYQt8mZO5AM1E6f5PLIkOC%2BJQcAHmnsooPK4wbElWJHdLRpYQkOOL182oERHr%2B%2FHtNLN1UcAUuTxHhjN00%2FRHWNOBVjlLO%2BDI"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8513bf62084271d8-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    apps.identrust.com
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    96.17.179.205
    a1952.dscq.akamai.net
    IN A
    96.17.179.184
  • flag-us
    DNS
    apps.identrust.com
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    96.17.179.205
    a1952.dscq.akamai.net
    IN A
    96.17.179.184
  • flag-gb
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    96.17.179.205:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Tue, 06 Feb 2024 14:30:24 GMT
    Date: Tue, 06 Feb 2024 13:30:24 GMT
    Connection: keep-alive
  • flag-gb
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    96.17.179.205:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Tue, 06 Feb 2024 14:30:24 GMT
    Date: Tue, 06 Feb 2024 13:30:24 GMT
    Connection: keep-alive
  • flag-us
    DNS
    x2.c.lencr.org
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    173.222.13.40
  • flag-gb
    GET
    http://x2.c.lencr.org/
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    Remote address:
    173.222.13.40:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT
    ETag: "64cd6654-12c"
    Cache-Control: max-age=3600
    Expires: Tue, 06 Feb 2024 14:30:24 GMT
    Date: Tue, 06 Feb 2024 13:30:24 GMT
    Content-Length: 300
    Connection: keep-alive
  • 104.21.85.118:443
    https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update
    tls, http
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    996 B
    7.0kB
    12
    11

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

    HTTP Response

    200
  • 104.21.85.118:443
    https://flingtrainer.com/wp-content/check-for-trainer-update/cyberpunk-2077-trainer
    tls, http
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    954 B
    7.0kB
    11
    11

    HTTP Request

    GET https://flingtrainer.com/wp-content/check-for-trainer-update/cyberpunk-2077-trainer

    HTTP Response

    200
  • 96.17.179.205:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    369 B
    1.6kB
    5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 96.17.179.205:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    421 B
    1.6kB
    6
    5

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 173.222.13.40:80
    http://x2.c.lencr.org/
    http
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    396 B
    1.4kB
    6
    4

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 8.8.8.8:53
    flingtrainer.com
    dns
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    124 B
    94 B
    2
    1

    DNS Request

    flingtrainer.com

    DNS Request

    flingtrainer.com

    DNS Response

    104.21.85.118
    172.67.205.150

  • 8.8.8.8:53
    apps.identrust.com
    dns
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    64 B
    165 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    96.17.179.205
    96.17.179.184

  • 8.8.8.8:53
    apps.identrust.com
    dns
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    64 B
    165 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    96.17.179.205
    96.17.179.184

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
    60 B
    165 B
    1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    173.222.13.40

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    4895a74f0594041558301e39e709b8ab

    SHA1

    2cac411b26467e944ffce176579d364bfebcb638

    SHA256

    4cd270f7cfebd6fab235cb6cab443025740cb0bd770a26c7bd9e500d4f050dd8

    SHA512

    9a2928e50f1809a544cb172b8b94a403f9c63c61a9a2c1ac8318f94e652aee33803b2680f36d9b8476208f49e8630784be762eac14e72556cd56c26cc1faba90

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    6946842c251766576e7a2171df02da84

    SHA1

    f1e565438650e48f2475f5bdc264e90854d617a5

    SHA256

    85ad31d5ed164d2c822dadf2c0b899ddc253129f9f4795ed22c00d673bce7b49

    SHA512

    dfb9b622a49428f7fdebaa0c94ff6e96140d2724116349d6bd59f667f6e6234d1d788ac23edc0ea17d87851824504dc0704e4972b9058ba335596f6aed5b5cc9

  • C:\Users\Admin\AppData\Local\Temp\Cab8C98.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar8D37.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • memory/2632-4-0x000000001B0B0000-0x000000001B130000-memory.dmp

    Filesize

    512KB

  • memory/2632-3-0x000000001B0B0000-0x000000001B130000-memory.dmp

    Filesize

    512KB

  • memory/2632-6-0x0000000000370000-0x000000000037A000-memory.dmp

    Filesize

    40KB

  • memory/2632-7-0x000000001B0B0000-0x000000001B130000-memory.dmp

    Filesize

    512KB

  • memory/2632-11-0x000000001B0B0000-0x000000001B130000-memory.dmp

    Filesize

    512KB

  • memory/2632-0-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2632-2-0x000000001B0B0000-0x000000001B130000-memory.dmp

    Filesize

    512KB

  • memory/2632-5-0x0000000000370000-0x000000000037A000-memory.dmp

    Filesize

    40KB

  • memory/2632-1-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

    Filesize

    9.9MB

  • memory/2632-124-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

    Filesize

    9.9MB

  • memory/2632-125-0x0000000000370000-0x000000000037A000-memory.dmp

    Filesize

    40KB

  • memory/2632-126-0x0000000000370000-0x000000000037A000-memory.dmp

    Filesize

    40KB

  • memory/2632-129-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

    Filesize

    9.9MB

  • memory/2632-130-0x0000000000370000-0x0000000000372000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.