Malware Analysis Report

2024-12-08 02:32

Sample ID 230810-spga9adh85
Target 062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d
SHA256 062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d
Tags
r77 rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d

Threat Level: Known bad

The file 062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d was found to be: Known bad.

Malicious Activity Summary

r77 rootkit upx

r77 rootkit payload

r77

R77 family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 15:17

Signatures

R77 family

r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 15:17

Reported

2023-08-10 15:20

Platform

win7-20230712-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe

"C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

C:\Users\Admin\AppData\Local\Temp\\a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 flingtrainer.com udp
US 104.26.1.11:443 flingtrainer.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.222.33.142:80 x2.c.lencr.org tcp

Files

memory/2488-55-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-57-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-59-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-56-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-63-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-61-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-65-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-67-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-71-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-69-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-73-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-75-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-77-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-79-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-83-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-81-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-87-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-85-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-89-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-93-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-91-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-95-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2488-97-0x0000000010000000-0x000000001003F000-memory.dmp

\Users\Admin\AppData\Local\Temp\a.exe

MD5 eb3295617d26a4902d2c51fc8ca4c9b7
SHA1 c1cc56cac046678b5373ff473da1560b35cd4ca6
SHA256 f5e0c4f0ef809417d2fcde05fcc037308a323383226169c56912ae401e996bab
SHA512 f3fc1575075da3c875cb80e4d414a161d2c84be00febb7dacdfeab0f783117fd09984a95f5cf5863ccfa60069492a5e0313d183e01febb54b8b630ed3274eb66

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 eb3295617d26a4902d2c51fc8ca4c9b7
SHA1 c1cc56cac046678b5373ff473da1560b35cd4ca6
SHA256 f5e0c4f0ef809417d2fcde05fcc037308a323383226169c56912ae401e996bab
SHA512 f3fc1575075da3c875cb80e4d414a161d2c84be00febb7dacdfeab0f783117fd09984a95f5cf5863ccfa60069492a5e0313d183e01febb54b8b630ed3274eb66

memory/2900-102-0x0000000000150000-0x0000000000182000-memory.dmp

memory/2900-103-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

memory/2900-104-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/2900-105-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/2900-106-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/2488-110-0x0000000010000000-0x000000001003F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA24A.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarA52A.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33735152611d17441b96093cc0d2ba3b
SHA1 8a1ad97e4f0e258f9fef68bc1bd197c273832ba7
SHA256 55186be2ce986e633141df72e4705db0fdc3787b27f5eff00fa18817632ba4ee
SHA512 b7c81934319fd549a82f8c8da19db65fba96f7ae42de2f479fc39ec3b90f584160012141896493d80e4bfbe6d8b1dd7fa247a060e34a214bee20e9a6c5a192ea

memory/2900-188-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

memory/2900-189-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 15:17

Reported

2023-08-10 15:20

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe

"C:\Users\Admin\AppData\Local\Temp\062b22dd37329423720a6c6af5bf50a756418baa930c5681e5cd7ebc9ceea88d.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

C:\Users\Admin\AppData\Local\Temp\\a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 flingtrainer.com udp
US 104.26.1.11:443 flingtrainer.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.222.33.142:80 x2.c.lencr.org tcp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 11.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp

Files

memory/3472-133-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-134-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-135-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-136-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-138-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-140-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-142-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-144-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-146-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-148-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-150-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-152-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-154-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-156-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-158-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-160-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-162-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-164-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-166-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-168-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-170-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-172-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-176-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-174-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-178-0x0000000010000000-0x000000001003F000-memory.dmp

memory/3472-179-0x0000000010000000-0x000000001003F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 eb3295617d26a4902d2c51fc8ca4c9b7
SHA1 c1cc56cac046678b5373ff473da1560b35cd4ca6
SHA256 f5e0c4f0ef809417d2fcde05fcc037308a323383226169c56912ae401e996bab
SHA512 f3fc1575075da3c875cb80e4d414a161d2c84be00febb7dacdfeab0f783117fd09984a95f5cf5863ccfa60069492a5e0313d183e01febb54b8b630ed3274eb66

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 eb3295617d26a4902d2c51fc8ca4c9b7
SHA1 c1cc56cac046678b5373ff473da1560b35cd4ca6
SHA256 f5e0c4f0ef809417d2fcde05fcc037308a323383226169c56912ae401e996bab
SHA512 f3fc1575075da3c875cb80e4d414a161d2c84be00febb7dacdfeab0f783117fd09984a95f5cf5863ccfa60069492a5e0313d183e01febb54b8b630ed3274eb66

memory/3144-183-0x00007FFEEA6E0000-0x00007FFEEB1A1000-memory.dmp

memory/3144-184-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-185-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-186-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-187-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-188-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-189-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-193-0x0000018B434D0000-0x0000018B435D0000-memory.dmp

memory/3144-194-0x0000018B434D0000-0x0000018B435D0000-memory.dmp

memory/3144-201-0x00007FFEEA6E0000-0x00007FFEEB1A1000-memory.dmp

memory/3144-202-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-203-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-204-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-205-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-206-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-207-0x0000018B26400000-0x0000018B26410000-memory.dmp

memory/3144-208-0x0000018B434D0000-0x0000018B435D0000-memory.dmp

memory/3144-209-0x0000018B434D0000-0x0000018B435D0000-memory.dmp