purplefox | 9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2023 21:01

Target

9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe
Size

4.5MB
MD5

f8fa39cf33a4769e59de95c54089904f
SHA1

f89ab47216e43e7deb1e639324e360d18c671090
SHA256

9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96
SHA512

46ab9bc7ff697fdf4c5ba9148df07ac7d290f82658acc37acc7e2cbfef6eefe03a155ea51959f984dbe1fc87f3bc6250d272f05d3fc31cbb54c982477e03fd9e
SSDEEP

98304:50aXoeSvJGvXMvURUC4lo2ywdwkKVHiJvQ/G0Jd7nxfFPK0NvRtB:ivJgXYUaCYoxwdw5VH8vQ/9Jd7nxfFPh

Score

10^/10

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

Processes:

resource	yara_rule
behavioral2/memory/2120-137-0x0000000000400000-0x00000000005B5000-memory.dmp	purplefox_rootkit
behavioral2/memory/2120-138-0x0000000010000000-0x00000000101B0000-memory.dmp	purplefox_rootkit
behavioral2/memory/2120-155-0x0000000000400000-0x00000000005B5000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2120-133-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral2/memory/2120-134-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral2/memory/2120-136-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral2/memory/2120-137-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral2/memory/2120-155-0x0000000000400000-0x00000000005B5000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe

description	pid	process
Token: 33	2120	9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe
Token: SeIncBasePriorityPrivilege	2120	9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe
Token: 33	2120	9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe
Token: SeIncBasePriorityPrivilege	2120	9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe

C:\Users\Admin\AppData\Local\Temp\9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe
"C:\Users\Admin\AppData\Local\Temp\9362bf6ffd3956f58e67f0c0e6d6ae4818384c29039400051cfb6b8ff1717c96.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

memory/2120-133-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2120-134-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2120-136-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2120-137-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2120-138-0x0000000010000000-0x00000000101B0000-memory.dmp

Filesize
1.7MB

Download
memory/2120-155-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download