Malware Analysis Report

2025-01-02 06:58

Sample ID 220707-j6jchagdfl
Target 469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952
SHA256 469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952
Tags
r77
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952

Threat Level: Known bad

The file 469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952 was found to be: Known bad.

Malicious Activity Summary

r77

R77 family

r77 rootkit payload

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-07 08:16

Signatures

R77 family

r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-07 08:16

Reported

2022-07-07 14:23

Platform

win7-20220414-en

Max time kernel

150s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe

"C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 flingtrainer.com udp
US 172.67.177.160:443 flingtrainer.com tcp
US 172.67.177.160:443 flingtrainer.com tcp

Files

memory/1684-54-0x0000000000470000-0x00000000004AE000-memory.dmp

memory/1684-55-0x000000001AC7C000-0x000000001AC9B000-memory.dmp

memory/1684-56-0x000000001AC7C000-0x000000001AC9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-07 08:16

Reported

2022-07-07 14:23

Platform

win10v2004-20220414-en

Max time kernel

91s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe

"C:\Users\Admin\AppData\Local\Temp\469991eb95c8b527fc7090d2d63de0c36a91adea2078c89cfc8f8621456f3952.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 436 -p 4312 -ip 4312

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4312 -s 1164

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 472 -p 4312 -ip 4312

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4312 -s 1164

Network

Country Destination Domain Proto
NL 88.221.144.192:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
NL 13.69.109.131:443 tcp
US 204.79.197.203:80 tcp
NL 8.248.3.254:80 tcp
NL 8.248.3.254:80 tcp
US 8.251.167.126:80 tcp

Files

memory/4312-130-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp

memory/4312-131-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp