Malware Analysis Report

2024-12-08 02:31

Sample ID 230814-d3y1wsha75
Target 138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5
SHA256 138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5
Tags
r77
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5

Threat Level: Known bad

The file 138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5 was found to be: Known bad.

Malicious Activity Summary

r77

R77 family

r77 rootkit payload

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-14 03:32

Signatures

R77 family

r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-14 03:32

Reported

2023-08-14 03:35

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/4004-133-0x0000000180000000-0x0000000180269000-memory.dmp

memory/4004-135-0x0000000180000000-0x0000000180269000-memory.dmp

memory/4004-137-0x0000000180000000-0x0000000180269000-memory.dmp

memory/4004-139-0x0000000180000000-0x0000000180269000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-14 03:32

Reported

2023-08-14 03:35

Platform

win7-20230712-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\138a610e2b046584a8b143f221960334f322ff507a888dc1ad8e754595c7dde5.dll,#1

Network

N/A

Files

memory/2576-54-0x0000000180000000-0x0000000180269000-memory.dmp

memory/2576-56-0x0000000180000000-0x0000000180269000-memory.dmp

memory/2576-58-0x0000000180000000-0x0000000180269000-memory.dmp

memory/2576-60-0x0000000180000000-0x0000000180269000-memory.dmp