Overview

overview

10

Static

static

10

3a63992bc8...ff.exe

windows7-x64

10

3a63992bc8...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/10/2023, 08:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe

  • Size

    2.5MB

  • MD5

    eaca518b1e134dcb313324dfe5be66fb

  • SHA1

    b4c66ccf5b67adb33ea9e6fa2c16e97f5d31f1df

  • SHA256

    3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff

  • SHA512

    697513968490a072ab468b44b0e7e84f7480703b6d31d16db3d75be90b004d116ae57e1367e1d8ce436d48f661c193551a23716da1513577395d218d03296797

  • SSDEEP

    49152:RSnEknyUzsrkl5daDwXt8aHc68V/V7L1T:GDn3z0kUDwXtfH+5V1T

Score
10/10
r77rootkitupx

Malware Config

Signatures

  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77
  • r77 rootkit payload 2 IoCs

    Detects the payload of the r77 rootkit.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
    "C:\Users\Admin\AppData\Local\Temp\3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\a.exe
      C:\Users\Admin\AppData\Local\Temp\\a.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4152

Network

  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    1.208.79.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.208.79.178.in-addr.arpa
    IN PTR
    Response
    1.208.79.178.in-addr.arpa
    IN PTR
    https-178-79-208-1amsllnwnet
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.178.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.178.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.179.89.13.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    1.208.79.178.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    1.208.79.178.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    254.178.238.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    254.178.238.8.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    10.179.89.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    10.179.89.13.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a.exe
    Filesize

    1.3MB

    MD5

    d5e098531d6c0d3d59541f934b62dfba

    SHA1

    182489876f54e3f51fbcb468a04e18f5589f872c

    SHA256

    06b4d1399741e9af55f549e9940319e1ef6ddf42266662142c214d85fd1f72af

    SHA512

    b3c4a064c7603c0f737c805aee4b402634d8e1412a73c9a3acf5a2e9ad9d7e61ef06faa1e6ff3351caba6c2c7869dab6999f978ef6342019cc5a7a4da4660f33

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\a.exe
    Filesize

    1.3MB

    MD5

    d5e098531d6c0d3d59541f934b62dfba

    SHA1

    182489876f54e3f51fbcb468a04e18f5589f872c

    SHA256

    06b4d1399741e9af55f549e9940319e1ef6ddf42266662142c214d85fd1f72af

    SHA512

    b3c4a064c7603c0f737c805aee4b402634d8e1412a73c9a3acf5a2e9ad9d7e61ef06faa1e6ff3351caba6c2c7869dab6999f978ef6342019cc5a7a4da4660f33

    Download Submit

  • memory/2712-30-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-36-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-5-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-7-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-9-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-11-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-13-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-15-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-17-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-19-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-21-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-23-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-26-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-28-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-0-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-32-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-3-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-38-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-34-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-40-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-42-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-44-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-46-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-1-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2712-2-0x0000000010000000-0x000000001003F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4152-50-0x0000024AEEFB0000-0x0000024AEEFE2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4152-51-0x00007FF87A380000-0x00007FF87AE41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4152-53-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4152-52-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4152-54-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4152-55-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4152-56-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4152-57-0x00007FF87A380000-0x00007FF87AE41000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.