Analysis
-
max time kernel
42s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-09-2022 20:56
Static task
static1
Behavioral task
behavioral1
Sample
c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe
Resource
win7-20220812-en
General
-
Target
c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe
-
Size
3.4MB
-
MD5
3c3397dad0b0cd89d4345d04175e71d5
-
SHA1
5e6cb3548f50afe87e15d614724b1d9fdf147162
-
SHA256
c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8
-
SHA512
5205eb5ce61ef613b3f3c12c2fc23ff2b22792b6fcd37fbda924e1a3bed508326cb275d864bbbe7266909927f57b279ff84a16930f502a9b1b2b7edfc18dc167
-
SSDEEP
98304:cmyef25hrekAhGaGt3XgaHXN2N54OiZrq1DfPHNADtV6v+Ll:V9fcqxyXN2N54O7NADtV6v+J
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1660-55-0x0000000010000000-0x000000001003F000-memory.dmp purplefox_rootkit -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exedescription ioc process File opened (read-only) \??\G: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\L: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\O: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\Q: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\H: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\I: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\K: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\R: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\Y: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\W: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\X: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\B: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\E: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\J: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\M: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\S: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\U: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\Z: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\F: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\N: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\P: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\T: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe File opened (read-only) \??\V: c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exepid process 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe 1660 c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe"C:\Users\Admin\AppData\Local\Temp\c716e31dfc90e490989ef03a8ef425c96f90d17f9c0c21001a5bafdfa558b3f8.exe"1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses