Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 04:11
Static task
static1
Behavioral task
behavioral1
Sample
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe
Resource
win7-20220812-en
General
-
Target
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe
-
Size
2.7MB
-
MD5
cbe535e83d1bdb0e2ee627e9963ec92e
-
SHA1
beb701d561634d8ab02354364512baac03f6d80b
-
SHA256
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850
-
SHA512
85c77091d41766aab1f91b990d9c8a3b8ae708b61c6b42bc023147c419d2a4ee0d56d6ce86650bc71f451014063dfd82271bd562a5da87f1ddcf5ef7e94dbf4f
-
SSDEEP
49152:wDN/LQQQsW2Oa+gJH1KmPhtGAiAnPD3D5Cj4HABszcpyoHJPTBotxYAPCQoCsc:moAVPABszcwoH6PCQ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4796-142-0x0000000010000000-0x000000001003F000-memory.dmp purplefox_rootkit -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
mian.exeMVP700.exetask.exesvchost.exepid process 4336 mian.exe 4796 MVP700.exe 2204 task.exe 944 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MVP700.exedescription ioc process File opened (read-only) \??\L: MVP700.exe File opened (read-only) \??\R: MVP700.exe File opened (read-only) \??\X: MVP700.exe File opened (read-only) \??\Z: MVP700.exe File opened (read-only) \??\J: MVP700.exe File opened (read-only) \??\S: MVP700.exe File opened (read-only) \??\I: MVP700.exe File opened (read-only) \??\P: MVP700.exe File opened (read-only) \??\Q: MVP700.exe File opened (read-only) \??\T: MVP700.exe File opened (read-only) \??\U: MVP700.exe File opened (read-only) \??\W: MVP700.exe File opened (read-only) \??\F: MVP700.exe File opened (read-only) \??\H: MVP700.exe File opened (read-only) \??\G: MVP700.exe File opened (read-only) \??\K: MVP700.exe File opened (read-only) \??\M: MVP700.exe File opened (read-only) \??\N: MVP700.exe File opened (read-only) \??\O: MVP700.exe File opened (read-only) \??\V: MVP700.exe File opened (read-only) \??\B: MVP700.exe File opened (read-only) \??\E: MVP700.exe File opened (read-only) \??\Y: MVP700.exe -
Drops file in System32 directory 1 IoCs
Processes:
task.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\svchost task.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MVP700.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MVP700.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MVP700.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mian.exetask.exeMVP700.exepid process 4336 mian.exe 4336 mian.exe 2204 task.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe 4796 MVP700.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
mian.exetask.exedescription pid process Token: SeDebugPrivilege 4336 mian.exe Token: SeDebugPrivilege 4336 mian.exe Token: SeDebugPrivilege 2204 task.exe Token: SeRestorePrivilege 2204 task.exe Token: SeBackupPrivilege 2204 task.exe Token: SeTakeOwnershipPrivilege 2204 task.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exedescription pid process target process PID 2220 wrote to memory of 4336 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe mian.exe PID 2220 wrote to memory of 4336 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe mian.exe PID 2220 wrote to memory of 4336 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe mian.exe PID 2220 wrote to memory of 4796 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe MVP700.exe PID 2220 wrote to memory of 4796 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe MVP700.exe PID 2220 wrote to memory of 4796 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe MVP700.exe PID 2220 wrote to memory of 2204 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe task.exe PID 2220 wrote to memory of 2204 2220 4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe task.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe"C:\Users\Admin\AppData\Local\Temp\4963fa87894dd865569851d96619d7ad68595c92857978b7cfca274ac0913850.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\AD\mian.exe"C:\ProgramData\AD\mian.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\AD\MVP700.exe"C:\ProgramData\AD\MVP700.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\AD\task.exe"C:\ProgramData\AD\task.exe" C:\ProgramData\AD\MVP700.exe 12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AD\MVP700.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
C:\ProgramData\AD\MVP700.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
C:\ProgramData\AD\mian.exeFilesize
70KB
MD50fae0b338a2a60bb212051281c9208b8
SHA169db5c1c28a4b2bee6db11b80297cc533147bf11
SHA256bdc619c37782d7a126930b628d147fe9769a8b4868cd545d0de9bd79c1b5fcc1
SHA51239e4a15dedcaa76c4c14a6d586e85f804f1ca8d7bdafcfbcda771de7166212a61316570cdd4d5c6df95c384ed71daf71f3a8f21d0c593b5aa413a8a2667ab732
-
C:\ProgramData\AD\mian.exeFilesize
70KB
MD50fae0b338a2a60bb212051281c9208b8
SHA169db5c1c28a4b2bee6db11b80297cc533147bf11
SHA256bdc619c37782d7a126930b628d147fe9769a8b4868cd545d0de9bd79c1b5fcc1
SHA51239e4a15dedcaa76c4c14a6d586e85f804f1ca8d7bdafcfbcda771de7166212a61316570cdd4d5c6df95c384ed71daf71f3a8f21d0c593b5aa413a8a2667ab732
-
C:\ProgramData\AD\task.exeFilesize
449KB
MD572b5a25a3015b0e66ce95c038d708228
SHA13b315c2834aeb8560948431f662f8e843698bca6
SHA256d41836c519e9cff8e4c2f688f3b9982fb5cdcd05dde301bb76f224408df6ecfe
SHA512373ee7c15b2414b2119fdbd0886b9d976365b0f2bfea6327db466252f79fa838fe42cadc5c14203ef6378d881831ec2155a6bb05981424754b9281159e8c7a64
-
C:\ProgramData\AD\task.exeFilesize
449KB
MD572b5a25a3015b0e66ce95c038d708228
SHA13b315c2834aeb8560948431f662f8e843698bca6
SHA256d41836c519e9cff8e4c2f688f3b9982fb5cdcd05dde301bb76f224408df6ecfe
SHA512373ee7c15b2414b2119fdbd0886b9d976365b0f2bfea6327db466252f79fa838fe42cadc5c14203ef6378d881831ec2155a6bb05981424754b9281159e8c7a64
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exeFilesize
3.6MB
MD5a68bfcada02d074c7f1391b32d300829
SHA19f1896aa439af4fbbc7e063279aa7a416327b66a
SHA2562d056606077bf521fc1901704a06832175b0f4e6fa99d08aebe9e2fed2904487
SHA5128619f44de7ca31d5b56f9c5f089ef7311cfe72da8286a6e175520aa049cec0d0651ea8eef86f493ce1f1ed1b5c1a8a8e075f63c9525ebf3db2e65844d0571d49
-
memory/2204-138-0x0000000000000000-mapping.dmp
-
memory/2204-141-0x00007FFF3AF30000-0x00007FFF3B966000-memory.dmpFilesize
10.2MB
-
memory/4336-132-0x0000000000000000-mapping.dmp
-
memory/4796-135-0x0000000000000000-mapping.dmp
-
memory/4796-142-0x0000000010000000-0x000000001003F000-memory.dmpFilesize
252KB