Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-05-2023 03:50
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
3KB
-
MD5
2c852975cace6f2b5f718ae4e4b5045a
-
SHA1
eb93148e9d8d99838a7931f7c2f35dd6079c139e
-
SHA256
1c2d6cf4a4c13c5a55812508c2649d6ae23138565e0e5d6fb56f6e7407b6bb71
-
SHA512
27cac97afd2c126f6162051377fa9cef22c90bd68453a71bdbb2bbc76613af0fec49dc7863f7e308984d69ce82fc9e07f8ac1ec4609478435f98618cafacdffe
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1524-60-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit behavioral1/memory/1524-59-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit behavioral1/memory/1524-61-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit -
Processes:
resource yara_rule behavioral1/memory/1524-54-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1524-56-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/1524-60-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/1524-59-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/1524-61-0x0000000010000000-0x0000000010040000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\S: tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
tmp.exepid process 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe 1524 tmp.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-54-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1524-55-0x0000000000220000-0x000000000026F000-memory.dmpFilesize
316KB
-
memory/1524-56-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/1524-60-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/1524-59-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/1524-61-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB