Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ee397be7161e5dbeff42fab80346d0d07257b2dffe1138f1f5f92fa2c09e258.dll

  • Size

    16KB

  • MD5

    a90cedc78c9fadd943586c7e0f702365

  • SHA1

    c4708a36513e3112f959ffcfe33534a949f3ef1d

  • SHA256

    6ee397be7161e5dbeff42fab80346d0d07257b2dffe1138f1f5f92fa2c09e258

  • SHA512

    674106b56265d13ff090c6c6e7633ba4e0cdd765072b90ef28c3603c703af47db09ad756bb0e21b88de79a09d94c1f6372636a6b82ea6ce6d05dc46cfbd24a11

  • SSDEEP

    192:1OIt31YVamI3X3PGR6ylM402ZJZ8d9iiiiiiiTSNNVJ8im6XS+XSyyd:1V91fm4nPG5KqjCdiwNVvSmSy

Score
10/10
purplefoxpersistencerootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Blocklisted process makes network request 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 11 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ee397be7161e5dbeff42fab80346d0d07257b2dffe1138f1f5f92fa2c09e258.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ee397be7161e5dbeff42fab80346d0d07257b2dffe1138f1f5f92fa2c09e258.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe C:\Users\Public\Downloads\1.JPG
        3⤵
          PID:5008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /f /im hh.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4536
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im hh.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3312
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\system32\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Public\Downloads\1.JPG" /ForceBootstrapPaint3D
        2⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3180
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:3432
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4176

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Downloads\1.JPG
      Filesize

      102KB

      MD5

      e0e247b326e27324551e1514e6815f7d

      SHA1

      6bc8e157ab59c032fc5b28f5c573d462dcef54c2

      SHA256

      0eee81df330948e743bba1bd68ef0b00febfd44cdd6d0ace41ca74cdafc5c39d

      SHA512

      579efdd583953e398eab9160a7d2584a4db88c00213f3d7ce4b4cb3019fd603dca466704a20305e4fa8320bac2f3b99429295dab2ef843a1b308f3be7f998c4a

      Download Submit
    • memory/1176-165-0x0000000010000000-0x0000000010040000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1176-164-0x0000000010000000-0x0000000010040000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1176-163-0x0000000010000000-0x0000000010040000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1176-160-0x0000000010000000-0x0000000010040000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1176-159-0x00000000026B0000-0x00000000026FF000-memory.dmp
      Filesize

      316KB

      Download
    • memory/3432-154-0x000001C912EF0000-0x000001C912EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3432-155-0x000001C912F00000-0x000001C912F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3432-156-0x000001C912F00000-0x000001C912F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3432-157-0x000001C912F00000-0x000001C912F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3432-153-0x000001C912E60000-0x000001C912E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3432-151-0x000001C912E60000-0x000001C912E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3432-149-0x000001C912DE0000-0x000001C912DE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3432-142-0x000001C90A190000-0x000001C90A1A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3432-138-0x000001C90A150000-0x000001C90A160000-memory.dmp
      Filesize

      64KB

      Download