Analysis Overview
SHA256
8f37bd1b796e2d29fa2fdb2aea3f768e631cab7d2c2a070cebe58eb69f4fa778
Threat Level: Known bad
The file Rebel Inc Escalation v1.0 Plus 9 Trainer.exe was found to be: Known bad.
Malicious Activity Summary
R77 family
r77 rootkit payload
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-07-28 19:30
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-28 19:30
Reported
2023-07-28 19:31
Platform
win10v2004-20230703-de
Max time kernel
18s
Max time network
28s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rebel Inc Escalation v1.0 Plus 9 Trainer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rebel Inc Escalation v1.0 Plus 9 Trainer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Rebel Inc Escalation v1.0 Plus 9 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Rebel Inc Escalation v1.0 Plus 9 Trainer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | flingtrainer.com | udp |
| US | 104.26.0.11:443 | flingtrainer.com | tcp |
| US | 8.8.8.8:53 | 145.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| CH | 23.201.254.55:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 139.228.2.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.254.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 2.19.195.216:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 216.195.19.2.in-addr.arpa | udp |
Files
memory/2488-133-0x00007FFB5C010000-0x00007FFB5CAD1000-memory.dmp
memory/2488-134-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-135-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-136-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-137-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-138-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-139-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-140-0x000001DCA79E0000-0x000001DCA7AE4000-memory.dmp
memory/2488-150-0x00007FFB5C010000-0x00007FFB5CAD1000-memory.dmp
memory/2488-151-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-152-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-153-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-154-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-155-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-156-0x000001DCA4D10000-0x000001DCA4D20000-memory.dmp
memory/2488-160-0x00007FFB5C010000-0x00007FFB5CAD1000-memory.dmp