Analysis Overview
SHA256
0b0c3291f56d3b50b6124eba4df3f38281265391e273798fc59a56ccb8acc9a4
Threat Level: Known bad
The file 0b0c3291f56d3b50b6124eba4df3f38281265391e273798fc59a56ccb8acc9a4 was found to be: Known bad.
Malicious Activity Summary
R77 family
r77 rootkit payload
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-30 05:07
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-30 05:07
Reported
2022-05-30 06:35
Platform
win7-20220414-en
Max time kernel
152s
Max time network
87s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Monster Hunter World v20200109-v20201001 Plus 67 Trainer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Monster Hunter World v20200109-v20201001 Plus 67 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Monster Hunter World v20200109-v20201001 Plus 67 Trainer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | flingtrainer.com | udp |
| US | 172.67.177.160:443 | flingtrainer.com | tcp |
Files
memory/536-54-0x0000000001B90000-0x0000000001BC2000-memory.dmp
memory/536-55-0x000007FEF40A0000-0x000007FEF5628000-memory.dmp
memory/536-56-0x000007FEF3460000-0x000007FEF409F000-memory.dmp
memory/536-57-0x000007FEF3270000-0x000007FEF3458000-memory.dmp
memory/536-58-0x000007FEF2320000-0x000007FEF326D000-memory.dmp
memory/536-59-0x000007FEF6100000-0x000007FEF622A000-memory.dmp
memory/536-60-0x000007FEF18D0000-0x000007FEF2320000-memory.dmp
memory/536-61-0x000007FEEDCE0000-0x000007FEEE56C000-memory.dmp
memory/536-62-0x000000001AFEC000-0x000000001B00B000-memory.dmp
memory/536-63-0x000007FEF2320000-0x000007FEF326D000-memory.dmp
memory/536-64-0x000007FEF6100000-0x000007FEF622A000-memory.dmp
memory/536-65-0x000007FEF40A0000-0x000007FEF5628000-memory.dmp
memory/536-66-0x000007FEF3460000-0x000007FEF409F000-memory.dmp
memory/536-67-0x000007FEF3270000-0x000007FEF3458000-memory.dmp
memory/536-68-0x000007FEF18D0000-0x000007FEF2320000-memory.dmp
memory/536-69-0x000000001AFEC000-0x000000001B00B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-30 05:07
Reported
2022-05-30 06:37
Platform
win10v2004-20220414-en
Max time kernel
145s
Max time network
175s
Command Line
Signatures
Program crash
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Monster Hunter World v20200109-v20201001 Plus 67 Trainer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Monster Hunter World v20200109-v20201001 Plus 67 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Monster Hunter World v20200109-v20201001 Plus 67 Trainer.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 192 -p 3568 -ip 3568
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3568 -s 1168
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3568 -ip 3568
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3568 -s 1168
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| NL | 8.238.21.254:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 8.238.21.254:80 | dl.delivery.mp.microsoft.com | tcp |
Files
memory/3568-130-0x00007FF8A2C80000-0x00007FF8A3741000-memory.dmp
memory/3568-131-0x00007FF8A2C80000-0x00007FF8A3741000-memory.dmp
memory/3568-132-0x00007FF8A2C80000-0x00007FF8A3741000-memory.dmp