purplefox | 1c2d6cf4a4c13c5a55812508c2649d6ae23138565e0e5d6fb56f6e7407b6bb71

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-05-2023 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3KB
MD5

2c852975cace6f2b5f718ae4e4b5045a
SHA1

eb93148e9d8d99838a7931f7c2f35dd6079c139e
SHA256

1c2d6cf4a4c13c5a55812508c2649d6ae23138565e0e5d6fb56f6e7407b6bb71
SHA512

27cac97afd2c126f6162051377fa9cef22c90bd68453a71bdbb2bbc76613af0fec49dc7863f7e308984d69ce82fc9e07f8ac1ec4609478435f98618cafacdffe

Score

10^/10

purplefox rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1524-60-0x0000000010000000-0x0000000010040000-memory.dmp	purplefox_rootkit
behavioral1/memory/1524-59-0x0000000010000000-0x0000000010040000-memory.dmp	purplefox_rootkit
behavioral1/memory/1524-61-0x0000000010000000-0x0000000010040000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1524-54-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1524-56-0x0000000010000000-0x0000000010040000-memory.dmp	upx
behavioral1/memory/1524-60-0x0000000010000000-0x0000000010040000-memory.dmp	upx
behavioral1/memory/1524-59-0x0000000010000000-0x0000000010040000-memory.dmp	upx
behavioral1/memory/1524-61-0x0000000010000000-0x0000000010040000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tmp.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

tmp.exe

pid	process
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-54-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1524-55-0x0000000000220000-0x000000000026F000-memory.dmp

Filesize
316KB

Download
memory/1524-56-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1524-60-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1524-59-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1524-61-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download