Analysis Overview
SHA256
138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5
Threat Level: Known bad
The file 138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5 was found to be: Known bad.
Malicious Activity Summary
R77 family
r77 rootkit payload
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-14 03:32
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-14 03:32
Reported
2023-08-14 03:35
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/4004-133-0x0000000180000000-0x0000000180269000-memory.dmp
memory/4004-135-0x0000000180000000-0x0000000180269000-memory.dmp
memory/4004-137-0x0000000180000000-0x0000000180269000-memory.dmp
memory/4004-139-0x0000000180000000-0x0000000180269000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-14 03:32
Reported
2023-08-14 03:35
Platform
win7-20230712-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5.dll,#1
Network
Files
memory/2576-54-0x0000000180000000-0x0000000180269000-memory.dmp
memory/2576-56-0x0000000180000000-0x0000000180269000-memory.dmp
memory/2576-58-0x0000000180000000-0x0000000180269000-memory.dmp
memory/2576-60-0x0000000180000000-0x0000000180269000-memory.dmp