Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 21:10
Static task
static1
Behavioral task
behavioral1
Sample
c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe
Resource
win7-20220812-en
General
-
Target
c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe
-
Size
570KB
-
MD5
cc1d473e4ff86eadfdb6b200af148778
-
SHA1
7b438765f45a1b006ff463d2d1cf87632c9cba61
-
SHA256
c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c
-
SHA512
8d4714f91a2288cdb053306f8192defb5701a1853e9aae5cea2457a58afad2ac13bea75d52c6a8a498bae13f4e3ef34492f0bcad2b183ccc3385c080a53261da
-
SSDEEP
12288:PQAk2mN2J/6b/Q+S5RMA2nvhBQ3nsae953+uPk7D31qDA4:IAhmN2J/6kvGA2nvhBQ3nGF+ug0M
Malware Config
Extracted
purplefox
Sainbox
162.211.180.205
Signatures
-
Processes:
resource yara_rule behavioral2/memory/744-141-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_dropper behavioral2/memory/744-142-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_dropper behavioral2/memory/744-144-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_dropper behavioral2/memory/744-145-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_dropper behavioral2/memory/744-146-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_dropper -
Processes:
resource yara_rule behavioral2/memory/744-141-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_rootkit behavioral2/memory/744-142-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_rootkit behavioral2/memory/744-144-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_rootkit behavioral2/memory/744-145-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_rootkit behavioral2/memory/744-146-0x0000000180000000-0x0000000180883000-memory.dmp purplefox_rootkit -
Executes dropped EXE 1 IoCs
Processes:
56789.exepid process 744 56789.exe -
Processes:
resource yara_rule behavioral2/memory/744-138-0x0000000180000000-0x0000000180883000-memory.dmp upx behavioral2/memory/744-141-0x0000000180000000-0x0000000180883000-memory.dmp upx behavioral2/memory/744-142-0x0000000180000000-0x0000000180883000-memory.dmp upx behavioral2/memory/744-144-0x0000000180000000-0x0000000180883000-memory.dmp upx behavioral2/memory/744-145-0x0000000180000000-0x0000000180883000-memory.dmp upx behavioral2/memory/744-146-0x0000000180000000-0x0000000180883000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe -
Loads dropped DLL 1 IoCs
Processes:
56789.exepid process 744 56789.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
56789.exedescription ioc process File opened (read-only) \??\R: 56789.exe File opened (read-only) \??\S: 56789.exe File opened (read-only) \??\X: 56789.exe File opened (read-only) \??\E: 56789.exe File opened (read-only) \??\H: 56789.exe File opened (read-only) \??\Q: 56789.exe File opened (read-only) \??\U: 56789.exe File opened (read-only) \??\V: 56789.exe File opened (read-only) \??\Z: 56789.exe File opened (read-only) \??\G: 56789.exe File opened (read-only) \??\I: 56789.exe File opened (read-only) \??\K: 56789.exe File opened (read-only) \??\L: 56789.exe File opened (read-only) \??\M: 56789.exe File opened (read-only) \??\N: 56789.exe File opened (read-only) \??\O: 56789.exe File opened (read-only) \??\P: 56789.exe File opened (read-only) \??\F: 56789.exe File opened (read-only) \??\Y: 56789.exe File opened (read-only) \??\T: 56789.exe File opened (read-only) \??\J: 56789.exe File opened (read-only) \??\W: 56789.exe File opened (read-only) \??\B: 56789.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
56789.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 56789.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 56789.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
56789.exepid process 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe 744 56789.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exedescription pid process target process PID 4308 wrote to memory of 744 4308 c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe 56789.exe PID 4308 wrote to memory of 744 4308 c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe 56789.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe"C:\Users\Admin\AppData\Local\Temp\c34fba6710c48163d8f508eaead4704e189ac383f120e7da6d375cb4591ac40c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\56789.exe"C:\ProgramData\56789.exe" -a2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\56789.exeFilesize
483KB
MD5be1c30ac4a3ab12f7f867462c2eaaaa0
SHA11754115d879260984380671c4f8bbf90dde1d60a
SHA25657b994435fd9c01b273888be5f4b210f8d0ca4b4598e0e8afd7339cfdb8bc6ab
SHA512f28a241a76d77d837af25fa2be0536c38f505c5e16043f7a51794e490ed5d6241ce80fabab0f8b52a32a63aebd92f5d99894f2e83e9ef0f6585b78fd1a6d05cb
-
C:\ProgramData\56789.exeFilesize
483KB
MD5be1c30ac4a3ab12f7f867462c2eaaaa0
SHA11754115d879260984380671c4f8bbf90dde1d60a
SHA25657b994435fd9c01b273888be5f4b210f8d0ca4b4598e0e8afd7339cfdb8bc6ab
SHA512f28a241a76d77d837af25fa2be0536c38f505c5e16043f7a51794e490ed5d6241ce80fabab0f8b52a32a63aebd92f5d99894f2e83e9ef0f6585b78fd1a6d05cb
-
C:\ProgramData\7777.dllFilesize
416KB
MD56e0f3a3bfe8b767e17b591a61fe05c53
SHA12aa49dfbf4310ff2f036b9635d83eab2b9e2510a
SHA25610d2fe6d8ed612ca56441fd43c417dc9f0dde89c9402376f4930816cc10f01b6
SHA512d6c34c1dc61f17aa08e214a1d2c10e635a68739dd2ff91b86a067dffb318c58807f4dc5dc3347e77a76762097451302cd5f9737dfc36e67e513d8bd1c75edd31
-
C:\ProgramData\7777.dllFilesize
416KB
MD56e0f3a3bfe8b767e17b591a61fe05c53
SHA12aa49dfbf4310ff2f036b9635d83eab2b9e2510a
SHA25610d2fe6d8ed612ca56441fd43c417dc9f0dde89c9402376f4930816cc10f01b6
SHA512d6c34c1dc61f17aa08e214a1d2c10e635a68739dd2ff91b86a067dffb318c58807f4dc5dc3347e77a76762097451302cd5f9737dfc36e67e513d8bd1c75edd31
-
C:\ProgramData\luohua.xmlFilesize
2.7MB
MD5216a36eac1b2e2d00710fce36154c4b9
SHA1cbf9b4cd59dc94eb375e907fa9cae0f3dfbd9f08
SHA256f4d33e7bcc4e6b17c8ac1e6c8ccdff72d342e91f4923fbae4c1a070ce06b8169
SHA512052b9dff0073c50722409a0cec11164f5d607fef6f3e4fbcf254a8972c6a0a3170cfb2c45d649ec5637ca651f1715fff1dcf2132001c9c0589d80b003db7ff74
-
memory/744-138-0x0000000180000000-0x0000000180883000-memory.dmpFilesize
8.5MB
-
memory/744-132-0x0000000000000000-mapping.dmp
-
memory/744-141-0x0000000180000000-0x0000000180883000-memory.dmpFilesize
8.5MB
-
memory/744-142-0x0000000180000000-0x0000000180883000-memory.dmpFilesize
8.5MB
-
memory/744-143-0x0000000000950000-0x0000000000C00000-memory.dmpFilesize
2.7MB
-
memory/744-144-0x0000000180000000-0x0000000180883000-memory.dmpFilesize
8.5MB
-
memory/744-145-0x0000000180000000-0x0000000180883000-memory.dmpFilesize
8.5MB
-
memory/744-146-0x0000000180000000-0x0000000180883000-memory.dmpFilesize
8.5MB