r77 | 41ecdf9e1481b9a14369cb6cf4374cb3b859d1148a59a56898654645dfb7b503

General

Target

Cyberpunk.2077.v2.0-v2.1.Plus.46.Trainer-FLiNG.zip
Size

998KB
Sample

240702-2ahp7sxanr
MD5

c68b4a5e80b71e6244121b690cfa1f33
SHA1

97751deeb49564cfa7d1f0dd5680fe68c3674b72
SHA256

41ecdf9e1481b9a14369cb6cf4374cb3b859d1148a59a56898654645dfb7b503
SHA512

c8b9c2d506bea0f4da81f337853ba8036693a1bc01aeaafc86efb78d024f89d7370bcd250717f3d201ac5bc06f4940bc4aa5fb601b57f3fab892c7bac3c7337b
SSDEEP

24576:Y88Cshr7Mr1t7Eu2hHoXUYMR8hf7ACMPC2PtqEGbh3odH90tS4EpAjm:41gr7QtoXUPehfsCMPCuG93odKSijm

Score

10^/10

Malware Config

Targets

- Target
  
  Cyberpunk 2077 v2.0-v2.1 Plus 46 Trainer.exe
- Size
  
  1.7MB
- MD5
  
  6fe2005fdf5b924231c78f1b7bb042f1
- SHA1
  
  a96a4d0e2cf6cace83291b8652faa0b91f2aae76
- SHA256
  
  e5d2151bd565352cf2e1a2c37f4cbc1024c493effc97a74562beee531a930148
- SHA512
  
  78321b5c05271bdda980fb2a9e5ab41d867e4ee2d9b01c69c6edc9d5d0545dc50e3dbab8d7a05f4206a72b2d287eb3e32fb6dbd32822d8c1f43f1644b6792881
- SSDEEP
  
  24576:nzsaxDgTIxf98inWB+s8Kks6WjzWsWQD01uepL0GDSVXT5XCCya:noasIxf98AWB+ik9wzauGLOXT5XCC1
Score

10^/10

bootkit defense_evasion discovery evasion persistence privilege_escalation spyware stealer trojan upx
- Suspicious use of NtCreateProcessExOtherParentProcess
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1