General
-
Target
361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174.exe
-
Size
36KB
-
Sample
250217-c5nr9sxles
-
MD5
03f6e22347844b1c83b8b3a52ae0a798
-
SHA1
317198a65c39c56ca0a5b32c6f9ba9712b68e326
-
SHA256
361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174
-
SHA512
a85bd36cb38ff57d687f1ab41d0fcfe82f88cdd554d66813bf789e0ab7bd90c2f41c7fca8a486c5f187e1776e344977ac998f5c85d2c6200be2cd2fa999d7777
-
SSDEEP
768:Z45PqAxhRAfy0vq/hykAvgXYPv9kj2Y3qjhSKM91g:e5PqAFADtvgo39s3qjh5gi
Malware Config
Extracted
https://github.com/NGROKC/CTC/raw/main/CTC64.dll
Targets
-
-
Target
361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174.exe
-
Size
36KB
-
MD5
03f6e22347844b1c83b8b3a52ae0a798
-
SHA1
317198a65c39c56ca0a5b32c6f9ba9712b68e326
-
SHA256
361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174
-
SHA512
a85bd36cb38ff57d687f1ab41d0fcfe82f88cdd554d66813bf789e0ab7bd90c2f41c7fca8a486c5f187e1776e344977ac998f5c85d2c6200be2cd2fa999d7777
-
SSDEEP
768:Z45PqAxhRAfy0vq/hykAvgXYPv9kj2Y3qjhSKM91g:e5PqAFADtvgo39s3qjh5gi
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender TamperProtection settings
-
R77 family
-
r77
r77 is an open-source, userland rootkit.
-
r77 rootkit payload
Detects the payload of the r77 rootkit.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
4