r77 | e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2023 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
Size

3.4MB
MD5

9aa9efd79dd46aca3b19e9e74693edc4
SHA1

0d822bbf96f4a06608b199463610a3834952982b
SHA256

e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493
SHA512

f90482f5f3a72db0973505d70cb67d30dabf36c0aa94bb46e9f915c87cc90f5fa592e5d370628427030ed6855bbd2912c4576b5341e714db70c43fea70e3ab1c
SSDEEP

49152:vOxQnlJI9I/3h7g0WmF7mCjux45thzJV7mcxqhAyGWv4uA+A6e7u:WElJI9JVamfm5tFJVycQG0N0

Score

10^/10

r77 rootkit upx

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 2 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral2/files/0x000700000002320e-180.dat	r77_payload
behavioral2/files/0x000700000002320e-181.dat	r77_payload

Executes dropped EXE 1 IoCs

pid	Process
4764	a.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2040-133-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-134-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-135-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-136-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-138-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-140-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-142-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-144-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-146-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-148-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-150-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-152-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-154-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-156-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-158-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-160-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-162-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-164-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-166-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-168-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-170-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-172-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-174-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-176-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2040-178-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe
4764	a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4764	2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe	82
PID 2040 wrote to memory of 4764	2040	e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe	82

C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe
"C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\a.exe
  C:\Users\Admin\AppData\Local\Temp\\a.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.5MB

MD5
3f1fdb5a55b85312fcc54b6f276bfc61

SHA1
d797a6d2746d30c6a8025fb23a00b6f761050f43

SHA256
7379cf675477c2048f21a1b32dbaeb225cd7d932bdf2f03aaa18a2a0c9e3aac2

SHA512
a6f064d7f75c8712137d5d3c17a1fd4f705777a410c89a2f7cc2e5ddea21dbb830236166ce25e92a3cd2fba3e9a20df55bd0f0ce9b66bdec54c074e9c3cc11e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.5MB

MD5
3f1fdb5a55b85312fcc54b6f276bfc61

SHA1
d797a6d2746d30c6a8025fb23a00b6f761050f43

SHA256
7379cf675477c2048f21a1b32dbaeb225cd7d932bdf2f03aaa18a2a0c9e3aac2

SHA512
a6f064d7f75c8712137d5d3c17a1fd4f705777a410c89a2f7cc2e5ddea21dbb830236166ce25e92a3cd2fba3e9a20df55bd0f0ce9b66bdec54c074e9c3cc11e7

Download Submit
memory/2040-170-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-160-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-138-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-140-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-142-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-144-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-146-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-148-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-133-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-152-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-154-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-156-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-158-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-174-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-162-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-164-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-166-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-168-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-150-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-136-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-172-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-176-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-178-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-135-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2040-134-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4764-205-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-183-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-184-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-185-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-186-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-187-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-200-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4764-201-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-202-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-203-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-204-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download
memory/4764-182-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4764-206-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

Filesize
64KB

Download