Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-09-2022 04:11
Static task
static1
Behavioral task
behavioral1
Sample
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe
Resource
win7-20220812-en
General
-
Target
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe
-
Size
2.7MB
-
MD5
cbe535e83d1bdb0e2ee627e9963ec92e
-
SHA1
beb701d561634d8ab02354364512baac03f6d80b
-
SHA256
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850
-
SHA512
85c77091d41766aab1f91b990d9c8a3b8ae708b61c6b42bc023147c419d2a4ee0d56d6ce86650bc71f451014063dfd82271bd562a5da87f1ddcf5ef7e94dbf4f
-
SSDEEP
49152:wDN/LQQQsW2Oa+gJH1KmPhtGAiAnPD3D5Cj4HABszcpyoHJPTBotxYAPCQoCsc:moAVPABszcwoH6PCQ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1292-60-0x0000000010000000-0x000000001003F000-memory.dmp purplefox_rootkit -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
mian.exeMVP700.exetask.exewininit.exepid process 1376 mian.exe 1292 MVP700.exe 392 task.exe 528 wininit.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MVP700.exedescription ioc process File opened (read-only) \??\V: MVP700.exe File opened (read-only) \??\X: MVP700.exe File opened (read-only) \??\H: MVP700.exe File opened (read-only) \??\Q: MVP700.exe File opened (read-only) \??\R: MVP700.exe File opened (read-only) \??\W: MVP700.exe File opened (read-only) \??\Y: MVP700.exe File opened (read-only) \??\Z: MVP700.exe File opened (read-only) \??\E: MVP700.exe File opened (read-only) \??\K: MVP700.exe File opened (read-only) \??\S: MVP700.exe File opened (read-only) \??\T: MVP700.exe File opened (read-only) \??\G: MVP700.exe File opened (read-only) \??\I: MVP700.exe File opened (read-only) \??\M: MVP700.exe File opened (read-only) \??\L: MVP700.exe File opened (read-only) \??\N: MVP700.exe File opened (read-only) \??\O: MVP700.exe File opened (read-only) \??\P: MVP700.exe File opened (read-only) \??\U: MVP700.exe File opened (read-only) \??\B: MVP700.exe File opened (read-only) \??\F: MVP700.exe File opened (read-only) \??\J: MVP700.exe -
Drops file in System32 directory 1 IoCs
Processes:
task.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\wininit task.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MVP700.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MVP700.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MVP700.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
mian.exeMVP700.exetask.exepid process 1376 mian.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 1292 MVP700.exe 392 task.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
mian.exetask.exedescription pid process Token: SeDebugPrivilege 1376 mian.exe Token: SeDebugPrivilege 1376 mian.exe Token: SeDebugPrivilege 392 task.exe Token: SeRestorePrivilege 392 task.exe Token: SeBackupPrivilege 392 task.exe Token: SeTakeOwnershipPrivilege 392 task.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exetaskeng.exedescription pid process target process PID 768 wrote to memory of 1376 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe mian.exe PID 768 wrote to memory of 1376 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe mian.exe PID 768 wrote to memory of 1376 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe mian.exe PID 768 wrote to memory of 1376 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe mian.exe PID 768 wrote to memory of 1292 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe MVP700.exe PID 768 wrote to memory of 1292 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe MVP700.exe PID 768 wrote to memory of 1292 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe MVP700.exe PID 768 wrote to memory of 1292 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe MVP700.exe PID 768 wrote to memory of 392 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe task.exe PID 768 wrote to memory of 392 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe task.exe PID 768 wrote to memory of 392 768 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe task.exe PID 1760 wrote to memory of 528 1760 taskeng.exe wininit.exe PID 1760 wrote to memory of 528 1760 taskeng.exe wininit.exe PID 1760 wrote to memory of 528 1760 taskeng.exe wininit.exe PID 1760 wrote to memory of 528 1760 taskeng.exe wininit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe"C:\Users\Admin\AppData\Local\Temp\4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\AD\mian.exe"C:\ProgramData\AD\mian.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\AD\MVP700.exe"C:\ProgramData\AD\MVP700.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\AD\task.exe"C:\ProgramData\AD\task.exe" C:\ProgramData\AD\MVP700.exe 12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {8E8D254C-A1D0-4901-A9F5-BD486E0657AD} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\wininit.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\wininit.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AD\MVP700.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
C:\ProgramData\AD\MVP700.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
C:\ProgramData\AD\mian.exeFilesize
70KB
MD50fae0b338a2a60bb212051281c9208b8
SHA169db5c1c28a4b2bee6db11b80297cc533147bf11
SHA256bdc619c37782d7a126930b628d147fe9769a8b4868cd545d0de9bd79c1b5fcc1
SHA51239e4a15dedcaa76c4c14a6d586e85f804f1ca8d7bdafcfbcda771de7166212a61316570cdd4d5c6df95c384ed71daf71f3a8f21d0c593b5aa413a8a2667ab732
-
C:\ProgramData\AD\task.exeFilesize
449KB
MD572b5a25a3015b0e66ce95c038d708228
SHA13b315c2834aeb8560948431f662f8e843698bca6
SHA256d41836c519e9cff8e4c2f688f3b9982fb5cdcd05dde301bb76f224408df6ecfe
SHA512373ee7c15b2414b2119fdbd0886b9d976365b0f2bfea6327db466252f79fa838fe42cadc5c14203ef6378d881831ec2155a6bb05981424754b9281159e8c7a64
-
C:\ProgramData\AD\task.exeFilesize
449KB
MD572b5a25a3015b0e66ce95c038d708228
SHA13b315c2834aeb8560948431f662f8e843698bca6
SHA256d41836c519e9cff8e4c2f688f3b9982fb5cdcd05dde301bb76f224408df6ecfe
SHA512373ee7c15b2414b2119fdbd0886b9d976365b0f2bfea6327db466252f79fa838fe42cadc5c14203ef6378d881831ec2155a6bb05981424754b9281159e8c7a64
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\wininit.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\wininit.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
memory/392-64-0x0000000000000000-mapping.dmp
-
memory/392-67-0x000007FEF4A30000-0x000007FEF5453000-memory.dmpFilesize
10.1MB
-
memory/528-70-0x0000000000000000-mapping.dmp
-
memory/768-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmpFilesize
8KB
-
memory/1292-57-0x0000000000000000-mapping.dmp
-
memory/1292-60-0x0000000010000000-0x000000001003F000-memory.dmpFilesize
252KB
-
memory/1292-59-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/1376-55-0x0000000000000000-mapping.dmp