Overview

overview

10

Static

static

c34fba6710...0c.exe

windows7-x64

10

c34fba6710...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2022 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe

  • Size

    570KB

  • MD5

    cc1d473e4ff86eadfdb6b200af148778

  • SHA1

    7b438765f45a1b006ff463d2d1cf87632c9cba61

  • SHA256

    c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c

  • SHA512

    8d4714f91a2288cdb053306f8192defb5701a1853e9aae5cea2457a58afad2ac13bea75d52c6a8a498bae13f4e3ef34492f0bcad2b183ccc3385c080a53261da

  • SSDEEP

    12288:PQAk2mN2J/6b/Q+S5RMA2nvhBQ3nsae953+uPk7D31qDA4:IAhmN2J/6kvGA2nvhBQ3nGF+ug0M

Score
10/10
purplefoxsainbox loaderdropperloaderrootkittrojanupx

Malware Config

Extracted

Family

purplefox

Botnet

Sainbox

C2

162.211.180.205

Signatures

  • Detect PurpleFox Dropper 5 IoCs

    Detect PurpleFox Dropper.

    dropper loader
  • Detect PurpleFox Rootkit 5 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe
    "C:\Users\Admin\AppData\Local\Temp\c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\ProgramData\56789.exe
      "C:\ProgramData\56789.exe" -a
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\56789.exe
    Filesize

    483KB

    MD5

    be1c30ac4a3ab12f7f867462c2eaaaa0

    SHA1

    1754115d879260984380671c4f8bbf90dde1d60a

    SHA256

    57b994435fd9c01b273888be5f4b210f8d0ca4b4598e0e8afd7339cfdb8bc6ab

    SHA512

    f28a241a76d77d837af25fa2be0536c38f505c5e16043f7a51794e490ed5d6241ce80fabab0f8b52a32a63aebd92f5d99894f2e83e9ef0f6585b78fd1a6d05cb

    Download Submit
  • C:\ProgramData\56789.exe
    Filesize

    483KB

    MD5

    be1c30ac4a3ab12f7f867462c2eaaaa0

    SHA1

    1754115d879260984380671c4f8bbf90dde1d60a

    SHA256

    57b994435fd9c01b273888be5f4b210f8d0ca4b4598e0e8afd7339cfdb8bc6ab

    SHA512

    f28a241a76d77d837af25fa2be0536c38f505c5e16043f7a51794e490ed5d6241ce80fabab0f8b52a32a63aebd92f5d99894f2e83e9ef0f6585b78fd1a6d05cb

    Download Submit
  • C:\ProgramData\7777.dll
    Filesize

    416KB

    MD5

    6e0f3a3bfe8b767e17b591a61fe05c53

    SHA1

    2aa49dfbf4310ff2f036b9635d83eab2b9e2510a

    SHA256

    10d2fe6d8ed612ca56441fd43c417dc9f0dde89c9402376f4930816cc10f01b6

    SHA512

    d6c34c1dc61f17aa08e214a1d2c10e635a68739dd2ff91b86a067dffb318c58807f4dc5dc3347e77a76762097451302cd5f9737dfc36e67e513d8bd1c75edd31

    Download Submit
  • C:\ProgramData\7777.dll
    Filesize

    416KB

    MD5

    6e0f3a3bfe8b767e17b591a61fe05c53

    SHA1

    2aa49dfbf4310ff2f036b9635d83eab2b9e2510a

    SHA256

    10d2fe6d8ed612ca56441fd43c417dc9f0dde89c9402376f4930816cc10f01b6

    SHA512

    d6c34c1dc61f17aa08e214a1d2c10e635a68739dd2ff91b86a067dffb318c58807f4dc5dc3347e77a76762097451302cd5f9737dfc36e67e513d8bd1c75edd31

    Download Submit
  • C:\ProgramData\luohua.xml
    Filesize

    2.7MB

    MD5

    216a36eac1b2e2d00710fce36154c4b9

    SHA1

    cbf9b4cd59dc94eb375e907fa9cae0f3dfbd9f08

    SHA256

    f4d33e7bcc4e6b17c8ac1e6c8ccdff72d342e91f4923fbae4c1a070ce06b8169

    SHA512

    052b9dff0073c50722409a0cec11164f5d607fef6f3e4fbcf254a8972c6a0a3170cfb2c45d649ec5637ca651f1715fff1dcf2132001c9c0589d80b003db7ff74

    Download Submit
  • memory/744-138-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/744-132-0x0000000000000000-mapping.dmp
    Download
  • memory/744-141-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/744-142-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/744-143-0x0000000000950000-0x0000000000C00000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/744-144-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/744-145-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/744-146-0x0000000180000000-0x0000000180883000-memory.dmp
    Filesize

    8.5MB

    Download