Analysis Overview
SHA256
f14dab97f0213e6267b4e438b07b0006f13abf5d47c7b2e68fdcf8d5fedc19bb
Threat Level: Known bad
The file f14dab97f0213e6267b4e438b07b0006f13abf5d47c7b2e68fdcf8d5fedc19bb was found to be: Known bad.
Malicious Activity Summary
R77 family
r77 rootkit payload
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-02-11 23:18
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-11 23:18
Reported
2022-02-11 23:21
Platform
win7-en-20211208
Max time kernel
151s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f14dab97f0213e6267b4e438b07b0006f13abf5d47c7b2e68fdcf8d5fedc19bb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f14dab97f0213e6267b4e438b07b0006f13abf5d47c7b2e68fdcf8d5fedc19bb.exe
"C:\Users\Admin\AppData\Local\Temp\f14dab97f0213e6267b4e438b07b0006f13abf5d47c7b2e68fdcf8d5fedc19bb.exe"
Network
Files
memory/1144-53-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-11 23:18
Reported
2022-02-11 23:21
Platform
win10v2004-en-20220113
Max time kernel
152s
Max time network
136s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\f14dab97f0213e6267b4e438b07b0006f13abf5d47c7b2e68fdcf8d5fedc19bb.exe
"C:\Users\Admin\AppData\Local\Temp\f14dab97f0213e6267b4e438b07b0006f13abf5d47c7b2e68fdcf8d5fedc19bb.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.20:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| JP | 13.78.111.198:443 | tcp |
Files
memory/4912-130-0x00000246E8C20000-0x00000246E8C30000-memory.dmp
memory/4912-131-0x00000246E8C80000-0x00000246E8C90000-memory.dmp
memory/4912-132-0x00000246EB330000-0x00000246EB334000-memory.dmp