c1dec40348f597fdcbd4fcdcd6ddc12225f55d05e5194070622bc0e0cabec143

General

Target

PurpleKnight.exe
Size

100.4MB
MD5

8c1579ee5fa7549a53180c3fe0cf2b91
SHA1

bb010d17cdd7b6ca6c99fd0b17ab11af94360595
SHA256

8b9e8326f25cfd8d1b9de0837232813216fc772523d102d43f1a1ed1ee1406fe
SHA512

38e3a46a94ae3449b1c07426e5a64bb6e48c18b509e52031945e5e20ae3b5f740b115c464114431357bf724d4fbb22512367499bf1867c3e4941c39a4c97a7a5
SSDEEP

3145728:sdPoQQ6ZLU91RWdeBzdnx2eU+vREzg2XhGjh:sdPox11D9Uz8P

Score

10^/10

coreentity

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/1184-132-0x00000279AF180000-0x00000279B0180000-memory.dmp	coreentity

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PurpleKnight.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	PurpleKnight.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	PurpleKnight.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	PurpleKnight.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

PurpleKnight.exe

pid	process
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe
1184	PurpleKnight.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

PurpleKnight.exe

description	pid	process
Token: SeDebugPrivilege	1184	PurpleKnight.exe
Token: SeIncreaseQuotaPrivilege	1184	PurpleKnight.exe
Token: SeSecurityPrivilege	1184	PurpleKnight.exe
Token: SeTakeOwnershipPrivilege	1184	PurpleKnight.exe
Token: SeLoadDriverPrivilege	1184	PurpleKnight.exe
Token: SeSystemProfilePrivilege	1184	PurpleKnight.exe
Token: SeSystemtimePrivilege	1184	PurpleKnight.exe
Token: SeProfSingleProcessPrivilege	1184	PurpleKnight.exe
Token: SeIncBasePriorityPrivilege	1184	PurpleKnight.exe
Token: SeCreatePagefilePrivilege	1184	PurpleKnight.exe
Token: SeBackupPrivilege	1184	PurpleKnight.exe
Token: SeRestorePrivilege	1184	PurpleKnight.exe
Token: SeShutdownPrivilege	1184	PurpleKnight.exe
Token: SeDebugPrivilege	1184	PurpleKnight.exe
Token: SeSystemEnvironmentPrivilege	1184	PurpleKnight.exe
Token: SeRemoteShutdownPrivilege	1184	PurpleKnight.exe
Token: SeUndockPrivilege	1184	PurpleKnight.exe
Token: SeManageVolumePrivilege	1184	PurpleKnight.exe
Token: 33	1184	PurpleKnight.exe
Token: 34	1184	PurpleKnight.exe
Token: 35	1184	PurpleKnight.exe
Token: 36	1184	PurpleKnight.exe
Token: SeIncreaseQuotaPrivilege	1184	PurpleKnight.exe
Token: SeSecurityPrivilege	1184	PurpleKnight.exe
Token: SeTakeOwnershipPrivilege	1184	PurpleKnight.exe
Token: SeLoadDriverPrivilege	1184	PurpleKnight.exe
Token: SeSystemProfilePrivilege	1184	PurpleKnight.exe
Token: SeSystemtimePrivilege	1184	PurpleKnight.exe
Token: SeProfSingleProcessPrivilege	1184	PurpleKnight.exe
Token: SeIncBasePriorityPrivilege	1184	PurpleKnight.exe
Token: SeCreatePagefilePrivilege	1184	PurpleKnight.exe
Token: SeBackupPrivilege	1184	PurpleKnight.exe
Token: SeRestorePrivilege	1184	PurpleKnight.exe
Token: SeShutdownPrivilege	1184	PurpleKnight.exe
Token: SeDebugPrivilege	1184	PurpleKnight.exe
Token: SeSystemEnvironmentPrivilege	1184	PurpleKnight.exe
Token: SeRemoteShutdownPrivilege	1184	PurpleKnight.exe
Token: SeUndockPrivilege	1184	PurpleKnight.exe
Token: SeManageVolumePrivilege	1184	PurpleKnight.exe
Token: 33	1184	PurpleKnight.exe
Token: 34	1184	PurpleKnight.exe
Token: 35	1184	PurpleKnight.exe
Token: 36	1184	PurpleKnight.exe
Token: SeIncreaseQuotaPrivilege	1184	PurpleKnight.exe
Token: SeSecurityPrivilege	1184	PurpleKnight.exe
Token: SeTakeOwnershipPrivilege	1184	PurpleKnight.exe
Token: SeLoadDriverPrivilege	1184	PurpleKnight.exe
Token: SeSystemProfilePrivilege	1184	PurpleKnight.exe
Token: SeSystemtimePrivilege	1184	PurpleKnight.exe
Token: SeProfSingleProcessPrivilege	1184	PurpleKnight.exe
Token: SeIncBasePriorityPrivilege	1184	PurpleKnight.exe
Token: SeCreatePagefilePrivilege	1184	PurpleKnight.exe
Token: SeBackupPrivilege	1184	PurpleKnight.exe
Token: SeRestorePrivilege	1184	PurpleKnight.exe
Token: SeShutdownPrivilege	1184	PurpleKnight.exe
Token: SeDebugPrivilege	1184	PurpleKnight.exe
Token: SeSystemEnvironmentPrivilege	1184	PurpleKnight.exe
Token: SeRemoteShutdownPrivilege	1184	PurpleKnight.exe
Token: SeUndockPrivilege	1184	PurpleKnight.exe
Token: SeManageVolumePrivilege	1184	PurpleKnight.exe
Token: 33	1184	PurpleKnight.exe
Token: 34	1184	PurpleKnight.exe
Token: 35	1184	PurpleKnight.exe
Token: 36	1184	PurpleKnight.exe

C:\Users\Admin\AppData\Local\Temp\PurpleKnight.exe
"C:\Users\Admin\AppData\Local\Temp\PurpleKnight.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-132-0x00000279AF180000-0x00000279B0180000-memory.dmp

Filesize
16.0MB

Download
memory/1184-133-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-134-0x00000279D20B0000-0x00000279D20E8000-memory.dmp

Filesize
224KB

Download
memory/1184-135-0x00000279CFC30000-0x00000279CFC3E000-memory.dmp

Filesize
56KB

Download
memory/1184-136-0x00000279D5C30000-0x00000279D5C38000-memory.dmp

Filesize
32KB

Download
memory/1184-137-0x00000279D5D40000-0x00000279D5D48000-memory.dmp

Filesize
32KB

Download
memory/1184-138-0x00000279CFC89000-0x00000279CFC8F000-memory.dmp

Filesize
24KB

Download
memory/1184-139-0x00000279D5C40000-0x00000279D5C44000-memory.dmp

Filesize
16KB

Download
memory/1184-140-0x00000279D5C44000-0x00000279D5C47000-memory.dmp

Filesize
12KB

Download
memory/1184-141-0x00007FFECEF20000-0x00007FFECF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-143-0x00000279D5C44000-0x00000279D5C47000-memory.dmp

Filesize
12KB

Download
memory/1184-142-0x00000279D5C40000-0x00000279D5C44000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads