Overview

overview

10

Static

static

c34fba6710...0c.exe

windows7-x64

10

c34fba6710...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16-11-2022 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe

  • Size

    570KB

  • MD5

    cc1d473e4ff86eadfdb6b200af148778

  • SHA1

    7b438765f45a1b006ff463d2d1cf87632c9cba61

  • SHA256

    c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c

  • SHA512

    8d4714f91a2288cdb053306f8192defb5701a1853e9aae5cea2457a58afad2ac13bea75d52c6a8a498bae13f4e3ef34492f0bcad2b183ccc3385c080a53261da

  • SSDEEP

    12288:PQAk2mN2J/6b/Q+S5RMA2nvhBQ3nsae953+uPk7D31qDA4:IAhmN2J/6kvGA2nvhBQ3nGF+ug0M

Score
10/10
purplefoxsainbox loaderdropperloaderrootkittrojanupx

Malware Config

Extracted

Family

purplefox

Botnet

Sainbox

C2

162.211.180.205

Signatures

  • Detect PurpleFox Dropper 5 IoCs

    Detect PurpleFox Dropper.

    dropper loader
  • Detect PurpleFox Rootkit 5 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe
    "C:\Users\Admin\AppData\Local\Temp\c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\ProgramData\56789.exe
      "C:\ProgramData\56789.exe" -a
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:556
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\1.jpg
    Filesize

    95KB

    MD5

    3fd62a684e641a41de73c5fd6194e849

    SHA1

    01a6688f15df9a118c1ae3388a7ee43eff7863d4

    SHA256

    fc8e35efc47f5586847badfead6a233924e54a6ccc9e5eeec143a117c09272a2

    SHA512

    d2646587151c75f5d44c983400c5efdb2fe41ab0db6dfb0378b5d829d4356098f13a01220a1132cbd202f958ced522d0794f21c1d2712a78f2b7612db27cd800

    Download Submit
  • C:\ProgramData\56789.exe
    Filesize

    483KB

    MD5

    be1c30ac4a3ab12f7f867462c2eaaaa0

    SHA1

    1754115d879260984380671c4f8bbf90dde1d60a

    SHA256

    57b994435fd9c01b273888be5f4b210f8d0ca4b4598e0e8afd7339cfdb8bc6ab

    SHA512

    f28a241a76d77d837af25fa2be0536c38f505c5e16043f7a51794e490ed5d6241ce80fabab0f8b52a32a63aebd92f5d99894f2e83e9ef0f6585b78fd1a6d05cb

    Download Submit
  • C:\ProgramData\7777.dll
    Filesize

    416KB

    MD5

    6e0f3a3bfe8b767e17b591a61fe05c53

    SHA1

    2aa49dfbf4310ff2f036b9635d83eab2b9e2510a

    SHA256

    10d2fe6d8ed612ca56441fd43c417dc9f0dde89c9402376f4930816cc10f01b6

    SHA512

    d6c34c1dc61f17aa08e214a1d2c10e635a68739dd2ff91b86a067dffb318c58807f4dc5dc3347e77a76762097451302cd5f9737dfc36e67e513d8bd1c75edd31

    Download Submit
  • C:\ProgramData\luohua.xml
    Filesize

    2.7MB

    MD5

    216a36eac1b2e2d00710fce36154c4b9

    SHA1

    cbf9b4cd59dc94eb375e907fa9cae0f3dfbd9f08

    SHA256

    f4d33e7bcc4e6b17c8ac1e6c8ccdff72d342e91f4923fbae4c1a070ce06b8169

    SHA512

    052b9dff0073c50722409a0cec11164f5d607fef6f3e4fbcf254a8972c6a0a3170cfb2c45d649ec5637ca651f1715fff1dcf2132001c9c0589d80b003db7ff74

    Download Submit
  • \ProgramData\56789.exe
    Filesize

    483KB

    MD5

    be1c30ac4a3ab12f7f867462c2eaaaa0

    SHA1

    1754115d879260984380671c4f8bbf90dde1d60a

    SHA256

    57b994435fd9c01b273888be5f4b210f8d0ca4b4598e0e8afd7339cfdb8bc6ab

    SHA512

    f28a241a76d77d837af25fa2be0536c38f505c5e16043f7a51794e490ed5d6241ce80fabab0f8b52a32a63aebd92f5d99894f2e83e9ef0f6585b78fd1a6d05cb

    Download Submit
  • \ProgramData\56789.exe
    Filesize

    483KB

    MD5

    be1c30ac4a3ab12f7f867462c2eaaaa0

    SHA1

    1754115d879260984380671c4f8bbf90dde1d60a

    SHA256

    57b994435fd9c01b273888be5f4b210f8d0ca4b4598e0e8afd7339cfdb8bc6ab

    SHA512

    f28a241a76d77d837af25fa2be0536c38f505c5e16043f7a51794e490ed5d6241ce80fabab0f8b52a32a63aebd92f5d99894f2e83e9ef0f6585b78fd1a6d05cb

    Download Submit
  • \ProgramData\7777.dll
    Filesize

    416KB

    MD5

    6e0f3a3bfe8b767e17b591a61fe05c53

    SHA1

    2aa49dfbf4310ff2f036b9635d83eab2b9e2510a

    SHA256

    10d2fe6d8ed612ca56441fd43c417dc9f0dde89c9402376f4930816cc10f01b6

    SHA512

    d6c34c1dc61f17aa08e214a1d2c10e635a68739dd2ff91b86a067dffb318c58807f4dc5dc3347e77a76762097451302cd5f9737dfc36e67e513d8bd1c75edd31

    Download Submit
  • memory/556-62-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/556-65-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/556-66-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/556-67-0x0000000001D50000-0x0000000002000000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/556-68-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/556-69-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/556-57-0x0000000000000000-mapping.dmp
    Download
  • memory/556-72-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/1664-54-0x0000000075981000-0x0000000075983000-memory.dmp
    Filesize

    8KB

    Download