r77 | 062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d

Analysis

max time kernel
151s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2023 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
Size

3.5MB
MD5

b426dc73d818eec7e5b334285b37b8bf
SHA1

f860399b5b724719deb548b173b6155ea847367e
SHA256

062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d
SHA512

ec8174fdecc1522e386ccfda010db98c626de3d15877a93e602a121510bd1a9b97bf8825d816ebe21358f7d339e1d2efe2a40cf772a149e171a5c71e091ad5f3
SSDEEP

49152:4YN7fndIGzMV/JOrWCOhKOUKMA9qT/kwonn/hAyGWv4uAd6e7uG:DbndwV8WCTljzkw6G0Z05

Score

10^/10

r77 rootkit upx

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 2 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral2/files/0x000700000002307c-182.dat	r77_payload
behavioral2/files/0x000700000002307c-181.dat	r77_payload

Executes dropped EXE 1 IoCs

pid	Process
3144	a.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3472-133-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-134-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-135-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-136-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-138-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-140-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-142-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-144-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-146-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-148-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-150-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-152-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-154-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-156-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-158-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-160-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-162-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-164-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-166-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-168-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-170-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-172-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-176-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-174-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-178-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3472-179-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3144-193-0x0000018B434D0000-0x0000018B435D0000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	a.exe
3144	a.exe
3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe
3144	a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3144	3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe	82
PID 3472 wrote to memory of 3144	3472	062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe	82

C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe
"C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\a.exe
  C:\Users\Admin\AppData\Local\Temp\\a.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.6MB

MD5
eb3295617d26a4902d2c51fc8ca4c9b7

SHA1
c1cc56cac046678b5373ff473da1560b35cd4ca6

SHA256
f5e0c4f0ef809417d2fcde05fcc037308a323383226169c56912ae401e996bab

SHA512
f3fc1575075da3c875cb80e4d414a161d2c84be00febb7dacdfeab0f783117fd09984a95f5cf5863ccfa60069492a5e0313d183e01febb54b8b630ed3274eb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.6MB

MD5
eb3295617d26a4902d2c51fc8ca4c9b7

SHA1
c1cc56cac046678b5373ff473da1560b35cd4ca6

SHA256
f5e0c4f0ef809417d2fcde05fcc037308a323383226169c56912ae401e996bab

SHA512
f3fc1575075da3c875cb80e4d414a161d2c84be00febb7dacdfeab0f783117fd09984a95f5cf5863ccfa60069492a5e0313d183e01febb54b8b630ed3274eb66

Download Submit
memory/3144-194-0x0000018B434D0000-0x0000018B435D0000-memory.dmp

Filesize
1024KB

Download
memory/3144-193-0x0000018B434D0000-0x0000018B435D0000-memory.dmp

Filesize
1024KB

Download
memory/3144-206-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-205-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-204-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-203-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-202-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-201-0x00007FFEEA6E0000-0x00007FFEEB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-208-0x0000018B434D0000-0x0000018B435D0000-memory.dmp

Filesize
1024KB

Download
memory/3144-207-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-189-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-188-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-187-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-186-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-185-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-184-0x0000018B26400000-0x0000018B26410000-memory.dmp

Filesize
64KB

Download
memory/3144-183-0x00007FFEEA6E0000-0x00007FFEEB1A1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-209-0x0000018B434D0000-0x0000018B435D0000-memory.dmp

Filesize
1024KB

Download
memory/3472-152-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-156-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-176-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-174-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-178-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-179-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-170-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-168-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-166-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-164-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-162-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-160-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-158-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-172-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-154-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-133-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-150-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-148-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-146-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-144-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-142-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-140-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-138-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-136-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-135-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3472-134-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download