Analysis Overview
SHA256
469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952
Threat Level: Known bad
The file 469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952 was found to be: Known bad.
Malicious Activity Summary
R77 family
r77 rootkit payload
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-07 08:16
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-07 08:16
Reported
2022-07-07 14:23
Platform
win7-20220414-en
Max time kernel
150s
Max time network
113s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe
"C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | flingtrainer.com | udp |
| US | 172.67.177.160:443 | flingtrainer.com | tcp |
| US | 172.67.177.160:443 | flingtrainer.com | tcp |
Files
memory/1684-54-0x0000000000470000-0x00000000004AE000-memory.dmp
memory/1684-55-0x000000001AC7C000-0x000000001AC9B000-memory.dmp
memory/1684-56-0x000000001AC7C000-0x000000001AC9B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-07 08:16
Reported
2022-07-07 14:23
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
139s
Command Line
Signatures
Program crash
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe
"C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4312 -ip 4312
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4312 -s 1164
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 4312 -ip 4312
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4312 -s 1164
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.192:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| NL | 13.69.109.131:443 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| US | 8.251.167.126:80 | tcp |
Files
memory/4312-130-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp
memory/4312-131-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp