r77 | 108a8be5260047a10d49105e7f5c22f949bae4e866278b169b66358ea43145ff | Triage

Submit
Reports

Overview

overview

Static

static

3

setup-w8.1-1.4.6.exe

windows10-2004-x64

Sharing

General

Target

setup-w8.1-1.4.6.exe
Size

2.1MB
Sample

241015-brx84swglb
MD5

938548152c35c028b942b33088d0f3b9
SHA1

6ead124c740dfddc2ab09f1739df760c6d1ee7d3
SHA256

108a8be5260047a10d49105e7f5c22f949bae4e866278b169b66358ea43145ff
SHA512

004bd6ca1e1dbbbe258fe42dcb628607e4a178f09bc40637a9660568953be883f7ecd48e8b07fe54a90757732bf05e106d1a5b89e486c2b36314e1c4f851b86e
SSDEEP

49152:8UYpE9Sa8jnyceXiIEeSavDw9M68bkF2xlEVRv/OiMpe/K7U:ZYpE7KWS49uKY+EVRv/OdpeAU

Score

10^/10

r77 discovery persistence privilege_escalation rootkit

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

setup-w8.1-1.4.6.exe

Resource

win10v2004-20241007-en

r77 discovery persistence privilege_escalation rootkit

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  setup-w8.1-1.4.6.exe
- Size
  
  2.1MB
- MD5
  
  938548152c35c028b942b33088d0f3b9
- SHA1
  
  6ead124c740dfddc2ab09f1739df760c6d1ee7d3
- SHA256
  
  108a8be5260047a10d49105e7f5c22f949bae4e866278b169b66358ea43145ff
- SHA512
  
  004bd6ca1e1dbbbe258fe42dcb628607e4a178f09bc40637a9660568953be883f7ecd48e8b07fe54a90757732bf05e106d1a5b89e486c2b36314e1c4f851b86e
- SSDEEP
  
  49152:8UYpE9Sa8jnyceXiIEeSavDw9M68bkF2xlEVRv/OiMpe/K7U:ZYpE7KWS49uKY+EVRv/OdpeAU
Score

10^/10

r77 discovery persistence privilege_escalation rootkit
- r77
  r77 is an open-source, userland rootkit.
  rootkit r77
- r77 rootkit payload
  Detects the payload of the r77 rootkit.
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Event Triggered Execution

AppInit DLLs

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Event Triggered Execution

AppInit DLLs

Scheduled Task/Job

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

r77discoverypersistenceprivilege_escalationrootkit

© 2018-2024

Terms | Privacy