Malware Analysis Report

2024-12-08 02:31

Sample ID 230814-gsjd8saa73
Target e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493
SHA256 e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493
Tags
r77 rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493

Threat Level: Known bad

The file e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493 was found to be: Known bad.

Malicious Activity Summary

r77 rootkit upx

R77 family

r77

r77 rootkit payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-14 06:03

Signatures

R77 family

r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-14 06:03

Reported

2023-08-14 06:06

Platform

win7-20230712-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe

"C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

C:\Users\Admin\AppData\Local\Temp\\a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 flingtrainer.com udp
US 104.26.1.11:443 flingtrainer.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.222.33.142:80 x2.c.lencr.org tcp

Files

memory/2964-54-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-55-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-56-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-59-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-61-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-63-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-65-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-68-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-70-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-72-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-74-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-76-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-78-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-80-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-84-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-82-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-86-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-88-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-91-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-93-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-97-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-95-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-99-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2964-101-0x0000000010000000-0x000000001003F000-memory.dmp

\Users\Admin\AppData\Local\Temp\a.exe

MD5 3f1fdb5a55b85312fcc54b6f276bfc61
SHA1 d797a6d2746d30c6a8025fb23a00b6f761050f43
SHA256 7379cf675477c2048f21a1b32dbaeb225cd7d932bdf2f03aaa18a2a0c9e3aac2
SHA512 a6f064d7f75c8712137d5d3c17a1fd4f705777a410c89a2f7cc2e5ddea21dbb830236166ce25e92a3cd2fba3e9a20df55bd0f0ce9b66bdec54c074e9c3cc11e7

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 3f1fdb5a55b85312fcc54b6f276bfc61
SHA1 d797a6d2746d30c6a8025fb23a00b6f761050f43
SHA256 7379cf675477c2048f21a1b32dbaeb225cd7d932bdf2f03aaa18a2a0c9e3aac2
SHA512 a6f064d7f75c8712137d5d3c17a1fd4f705777a410c89a2f7cc2e5ddea21dbb830236166ce25e92a3cd2fba3e9a20df55bd0f0ce9b66bdec54c074e9c3cc11e7

memory/3056-105-0x0000000000340000-0x000000000037E000-memory.dmp

memory/3056-106-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

memory/3056-107-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-108-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-109-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-110-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-111-0x000000001AE90000-0x000000001AF10000-memory.dmp

\Users\Admin\AppData\Local\Temp\a.exe

MD5 3f1fdb5a55b85312fcc54b6f276bfc61
SHA1 d797a6d2746d30c6a8025fb23a00b6f761050f43
SHA256 7379cf675477c2048f21a1b32dbaeb225cd7d932bdf2f03aaa18a2a0c9e3aac2
SHA512 a6f064d7f75c8712137d5d3c17a1fd4f705777a410c89a2f7cc2e5ddea21dbb830236166ce25e92a3cd2fba3e9a20df55bd0f0ce9b66bdec54c074e9c3cc11e7

C:\Users\Admin\AppData\Local\Temp\Cab8E7C.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar8FB7.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a77671c41f319327ad9eb58445a2459d
SHA1 08521a29df8a460994c652d398f585406d676fbc
SHA256 5892edbf121df28d36ca7960b505c518442fa46de9a0e6f1d1a494721f6a3116
SHA512 8753a47beaa8b91023e0e73ab578acec98e8a93990bcfd06447d241a5bfc030719a97fcab97d541df0177e17c873f580fddf1adc849bf7e9380354151a7a32a7

memory/3056-196-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

memory/3056-197-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-198-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-199-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-200-0x000000001AE90000-0x000000001AF10000-memory.dmp

memory/3056-201-0x000000001AE90000-0x000000001AF10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-14 06:03

Reported

2023-08-14 06:06

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe

"C:\Users\Admin\AppData\Local\Temp\e124d67c2826c790091a246499d7ee96afcc64654301fce55578e007bcc06493.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

C:\Users\Admin\AppData\Local\Temp\\a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 flingtrainer.com udp
US 104.26.1.11:443 flingtrainer.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.222.33.142:80 x2.c.lencr.org tcp
US 8.8.8.8:53 11.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2040-133-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-134-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-135-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-136-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-138-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-140-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-142-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-144-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-146-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-148-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-150-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-152-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-154-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-156-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-158-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-160-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-162-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-164-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-166-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-168-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-170-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-172-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-174-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-176-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2040-178-0x0000000010000000-0x000000001003F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 3f1fdb5a55b85312fcc54b6f276bfc61
SHA1 d797a6d2746d30c6a8025fb23a00b6f761050f43
SHA256 7379cf675477c2048f21a1b32dbaeb225cd7d932bdf2f03aaa18a2a0c9e3aac2
SHA512 a6f064d7f75c8712137d5d3c17a1fd4f705777a410c89a2f7cc2e5ddea21dbb830236166ce25e92a3cd2fba3e9a20df55bd0f0ce9b66bdec54c074e9c3cc11e7

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 3f1fdb5a55b85312fcc54b6f276bfc61
SHA1 d797a6d2746d30c6a8025fb23a00b6f761050f43
SHA256 7379cf675477c2048f21a1b32dbaeb225cd7d932bdf2f03aaa18a2a0c9e3aac2
SHA512 a6f064d7f75c8712137d5d3c17a1fd4f705777a410c89a2f7cc2e5ddea21dbb830236166ce25e92a3cd2fba3e9a20df55bd0f0ce9b66bdec54c074e9c3cc11e7

memory/4764-182-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

memory/4764-183-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-184-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-185-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-186-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-187-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-200-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

memory/4764-201-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-202-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-203-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-204-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-205-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp

memory/4764-206-0x000001FCBE7E0000-0x000001FCBE7F0000-memory.dmp