Analysis Overview
SHA256
474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23
Threat Level: Known bad
The file 474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23 was found to be: Known bad.
Malicious Activity Summary
R77 family
r77 rootkit payload
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-07 14:08
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-07 14:08
Reported
2022-09-07 14:10
Platform
win7-20220812-en
Max time kernel
150s
Max time network
110s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23.exe
"C:\Users\Admin\AppData\Local\Temp\474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | flingtrainer.com | udp |
| US | 172.67.177.160:443 | flingtrainer.com | tcp |
| US | 172.67.177.160:443 | flingtrainer.com | tcp |
Files
memory/1416-54-0x00000000021F0000-0x0000000002222000-memory.dmp
memory/1416-56-0x00000000021E0000-0x00000000021EA000-memory.dmp
memory/1416-55-0x00000000021E0000-0x00000000021EA000-memory.dmp
memory/1416-57-0x000000001ADDA000-0x000000001ADF9000-memory.dmp
memory/1416-59-0x00000000021E0000-0x00000000021EA000-memory.dmp
memory/1416-58-0x00000000021E0000-0x00000000021EA000-memory.dmp
memory/1416-60-0x000000001ADDA000-0x000000001ADF9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-07 14:08
Reported
2022-09-07 14:10
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23.exe
"C:\Users\Admin\AppData\Local\Temp\474f7d49a8d2dbd55cd9693702c6247c7df71b3a78dc0cb70e34dcaec50d2f23.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | flingtrainer.com | udp |
| US | 104.21.35.160:443 | flingtrainer.com | tcp |
| IE | 13.69.239.72:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/4916-132-0x00000274D0610000-0x00000274D0642000-memory.dmp
memory/4916-133-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp
memory/4916-134-0x00000274EE120000-0x00000274EE128000-memory.dmp
memory/4916-135-0x00000274EFFF0000-0x00000274F0028000-memory.dmp
memory/4916-136-0x00000274EFFC0000-0x00000274EFFCE000-memory.dmp
memory/4916-137-0x00007FFD0A740000-0x00007FFD0B201000-memory.dmp