Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
Behavioral task
behavioral1
Sample
PurpleKnight.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PurpleKnight.exe
Resource
win10v2004-20220812-en
Target
PurpleKnight.exe.zip
Size
95.4MB
MD5
ae6085f9f1b9add89e333e475e033134
SHA1
9c03ba5aafd559d8b4041fd3e977aa2238bec8ee
SHA256
c1dec40348f597fdcbd4fcdcd6ddc12225f55d05e5194070622bc0e0cabec143
SHA512
9896ad3eff44db58e0cc3a5cc1e0a1a1bc44617b6463574daefdd1fa3e359781ed17b0251f61f32774b717a2e80a11fdf83ee861c926a5c822933834aa59d80f
SSDEEP
1572864:CiFZToRPe1RbDkB0vbd9oRa/1qbw51GqZQ1GC9PFNXz+LiVnH72rd7YR/rGpuZ1A:CGqR+HkB0rvf6GoPF9zRJH72E/rSU1MR
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource | yara_rule |
---|---|
static1/unpack001/PurpleKnight.exe | coreentity |
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageCodeSigning
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageTimeStamping
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageTimeStamping
KeyUsageDigitalSignature
ExtKeyUsageCodeSigning
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageCodeSigning
KeyUsageDigitalSignature
CN=SEMPERIS INC.,O=SEMPERIS INC.,L=New York,ST=New York,C=US,1.2.840.113549.1.9.1=#0c15636f64657369676e4073656d70657269732e636f6d
CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE
CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE
CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ