Analysis Overview
SHA256
c35f13bc1fe366e3537488b9f89f11a6a4f43064ac6f08f4c40ed80d851db952
Threat Level: Known bad
The file Evil West v1.0.3 Plus 16 Trainer.exe was found to be: Known bad.
Malicious Activity Summary
R77 family
r77 rootkit payload
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-12-28 00:38
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-28 00:38
Reported
2022-12-28 00:41
Platform
win7-20220901-en
Max time kernel
93s
Max time network
74s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Evil West v1.0.3 Plus 16 Trainer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Evil West v1.0.3 Plus 16 Trainer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Evil West v1.0.3 Plus 16 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Evil West v1.0.3 Plus 16 Trainer.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | flingtrainer.com | udp |
| N/A | 104.21.35.160:443 | flingtrainer.com | tcp |
| N/A | 104.21.35.160:443 | flingtrainer.com | tcp |
Files
memory/1716-54-0x0000000001BB0000-0x0000000001BE2000-memory.dmp
memory/1716-55-0x0000000001BA0000-0x0000000001BAA000-memory.dmp
memory/1716-56-0x0000000001BA0000-0x0000000001BAA000-memory.dmp
memory/1716-57-0x000000000283A000-0x0000000002859000-memory.dmp
memory/1716-58-0x0000000001BA0000-0x0000000001BAA000-memory.dmp
memory/1716-59-0x0000000001BA0000-0x0000000001BAA000-memory.dmp
memory/1716-60-0x000000000283A000-0x0000000002859000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-28 00:38
Reported
2022-12-28 00:42
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Evil West v1.0.3 Plus 16 Trainer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Evil West v1.0.3 Plus 16 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Evil West v1.0.3 Plus 16 Trainer.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | flingtrainer.com | udp |
| N/A | 172.67.177.160:443 | flingtrainer.com | tcp |
| N/A | 13.69.239.72:443 | tcp | |
| N/A | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/2236-132-0x0000026BCE610000-0x0000026BCE642000-memory.dmp
memory/2236-133-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmp
memory/2236-134-0x0000026BEEE60000-0x0000026BEEE68000-memory.dmp
memory/2236-135-0x0000026BEDAC0000-0x0000026BEDAF8000-memory.dmp
memory/2236-136-0x0000026BEDA90000-0x0000026BEDA9E000-memory.dmp
memory/2236-137-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmp