r77 | 3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
Size

2.5MB
MD5

eaca518b1e134dcb313324dfe5be66fb
SHA1

b4c66ccf5b67adb33ea9e6fa2c16e97f5d31f1df
SHA256

3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff
SHA512

697513968490a072ab468b44b0e7e84f7480703b6d31d16db3d75be90b004d116ae57e1367e1d8ce436d48f661c193551a23716da1513577395d218d03296797
SSDEEP

49152:RSnEknyUzsrkl5daDwXt8aHc68V/V7L1T:GDn3z0kUDwXtfH+5V1T

Score

10^/10

r77 rootkit upx

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 2 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral2/files/0x0007000000022e7b-48.dat	r77_payload
behavioral2/files/0x0007000000022e7b-49.dat	r77_payload

Executes dropped EXE 1 IoCs

pid	Process
4152	a.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2712-0-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-2-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-1-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-3-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-5-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-9-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-11-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-13-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-15-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-19-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-21-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-23-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-26-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-30-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-32-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-34-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-36-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-38-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-40-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-42-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-44-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2712-46-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4152	2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe	86
PID 2712 wrote to memory of 4152	2712	3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe	86

C:\Users\Admin\AppData\Local\Temp\3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe
"C:\Users\Admin\AppData\Local\Temp\3a63992bc8760d45bd1e0887421fc7d510f490025109d5c1a7247d09ed2f14ff.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\a.exe
  C:\Users\Admin\AppData\Local\Temp\\a.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.3MB

MD5
d5e098531d6c0d3d59541f934b62dfba

SHA1
182489876f54e3f51fbcb468a04e18f5589f872c

SHA256
06b4d1399741e9af55f549e9940319e1ef6ddf42266662142c214d85fd1f72af

SHA512
b3c4a064c7603c0f737c805aee4b402634d8e1412a73c9a3acf5a2e9ad9d7e61ef06faa1e6ff3351caba6c2c7869dab6999f978ef6342019cc5a7a4da4660f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
1.3MB

MD5
d5e098531d6c0d3d59541f934b62dfba

SHA1
182489876f54e3f51fbcb468a04e18f5589f872c

SHA256
06b4d1399741e9af55f549e9940319e1ef6ddf42266662142c214d85fd1f72af

SHA512
b3c4a064c7603c0f737c805aee4b402634d8e1412a73c9a3acf5a2e9ad9d7e61ef06faa1e6ff3351caba6c2c7869dab6999f978ef6342019cc5a7a4da4660f33

Download Submit
memory/2712-30-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-15-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-5-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-34-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-9-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-11-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-13-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-36-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-19-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-21-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-23-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-26-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-38-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-0-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-32-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-3-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-40-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-42-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-44-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-46-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-1-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2712-2-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4152-50-0x0000024AEEFB0000-0x0000024AEEFE2000-memory.dmp

Filesize
200KB

Download
memory/4152-51-0x00007FF87A380000-0x00007FF87AE41000-memory.dmp

Filesize
10.8MB

Download
memory/4152-53-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

Filesize
64KB

Download
memory/4152-52-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

Filesize
64KB

Download
memory/4152-54-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

Filesize
64KB

Download
memory/4152-55-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

Filesize
64KB

Download
memory/4152-56-0x0000024AEF970000-0x0000024AEF980000-memory.dmp

Filesize
64KB

Download
memory/4152-57-0x00007FF87A380000-0x00007FF87AE41000-memory.dmp

Filesize
10.8MB

Download