r77 | ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd

Analysis

max time kernel
191s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
Size

3.1MB
MD5

5f765eee8482e0aa6d22dbd636e743d7
SHA1

29b17065b28763c7b464bc30077ffc9441feae45
SHA256

ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd
SHA512

41d3c379c444cb0d0f7189585cb927090c02035c1c6f20ee6da0864130ba1d675a273c49c00d9d353d78ee435b368d52225170e55d998953b3f1142aa4164f28
SSDEEP

49152:mBEhaAKIT0yjox5za99WrhPCqN69x526qvsPIdCV7LGDOvhAyGWv4uAcZ6e7ur3:3365za99W5k9/zwCVdNG020W

Score

10^/10

r77 rootkit upx

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 2 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral2/files/0x0008000000022e07-177.dat	r77_payload
behavioral2/files/0x0008000000022e07-178.dat	r77_payload

Executes dropped EXE 1 IoCs

pid	Process
2312	a.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4960-132-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-133-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-134-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-136-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-140-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-142-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-138-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-146-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-144-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-148-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-152-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-150-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-154-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-156-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-162-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-164-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-168-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-170-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-172-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-166-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-174-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-160-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-158-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4960-175-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
2312	a.exe
2312	a.exe
2312	a.exe
2312	a.exe
2312	a.exe
2312	a.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
2312	a.exe
2312	a.exe
2312	a.exe
2312	a.exe
2312	a.exe
2312	a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 2312	4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe	82
PID 4960 wrote to memory of 2312	4960	ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe	82

C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe
"C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\a.exe
  C:\Users\Admin\AppData\Local\Temp\\a.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.2MB

MD5
75af6cf8ac44a8dc4136ea679c292511

SHA1
74c7b0327d5fa311dbbfc9658965326507162c29

SHA256
539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1

SHA512
ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.2MB

MD5
75af6cf8ac44a8dc4136ea679c292511

SHA1
74c7b0327d5fa311dbbfc9658965326507162c29

SHA256
539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1

SHA512
ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

Download Submit
memory/2312-184-0x00007FFAD9BA0000-0x00007FFADA661000-memory.dmp

Filesize
10.8MB

Download
memory/2312-183-0x0000027F74F80000-0x0000027F74F8E000-memory.dmp

Filesize
56KB

Download
memory/2312-182-0x0000027F74FB0000-0x0000027F74FE8000-memory.dmp

Filesize
224KB

Download
memory/2312-181-0x0000027F76350000-0x0000027F76358000-memory.dmp

Filesize
32KB

Download
memory/2312-180-0x00007FFAD9BA0000-0x00007FFADA661000-memory.dmp

Filesize
10.8MB

Download
memory/2312-179-0x0000027F54930000-0x0000027F54962000-memory.dmp

Filesize
200KB

Download
memory/4960-144-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-174-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-150-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-154-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-156-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-162-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-164-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-168-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-170-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-172-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-166-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-152-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-160-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-158-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-175-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-148-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-132-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-146-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-138-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-142-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-140-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-136-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-134-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4960-133-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download