Overview

overview

10

Static

static

3

62adb2037a...c3.exe

windows7-x64

10

62adb2037a...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe

  • Size

    4.6MB

  • MD5

    413d58c415fa4547a7126ea6321d23a9

  • SHA1

    3a9c911496f4c2fcca114aaf8278a5e963227392

  • SHA256

    62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3

  • SHA512

    06eca03ffb223eb2ccb68f7f43fd9365fbbf13ad73780348c841607e868b13d50c726f7f0d98dc7a9e5ff155a2cd785a466f646d5575f6ed1520ebb47965313f

  • SSDEEP

    98304:yXvUNEDFN6F6xoSgoxEspdJipIddobqWQl:yXXvxzxFU8d5W+

Score
10/10
purplefoxpersistencerootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe
    "C:\Users\Admin\AppData\Local\Temp\62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\Aqiyq.exe
      C:\Windows\Aqiyq.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\Aqiyq.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4080
  • C:\Windows\Aqiyq.exe
    C:\Windows\Aqiyq.exe -auto
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\Aqiyq.exe
      C:\Windows\Aqiyq.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:4952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Aqiyq.exe
    Filesize

    101KB

    MD5

    57f032621c3de1a460f209dc5f6a6f11

    SHA1

    4e67e3af4a19f4dc4963ac764a0e2037fcbf5f1c

    SHA256

    f15023df6e155ea0d4c25c54d9ed8f84de35dd263d5617328b0e8df2521a62ea

    SHA512

    6a2d2701114a85bd8e8f8851c5e17fce42cb3de6bcd64ffb016cc0cd41f4ebf10143f23dd5f7aaf4ac12456a796a0c7c8988e3391dcef287c87378793ffeb63c

    Download Submit

  • C:\Windows\Aqiyq.exe
    Filesize

    87KB

    MD5

    4e058ba13fdd13b881c7d097ecad6127

    SHA1

    ab62c775aa4c02e611e9f224c9c72613ebe59811

    SHA256

    785d6c2f8dacd375dbcc9e6d1220cf8c483749e636d088d5453ab2ee21e03176

    SHA512

    f8392b2f1636d1ce3c08837a58c1027ad61f079a9b7240d88d26dbe1a7b811cf77982b5170fd098782100ab0d84c9c274ff8a578980fc1ece9acef97c69f6902

    Download Submit

  • C:\Windows\Aqiyq.exe
    Filesize

    29KB

    MD5

    e18d3a3a3d40f4e5abe196450657904f

    SHA1

    01fbb1b2dc55eb2e59901dfb6ab6014efc09c300

    SHA256

    693dc9ed02d0b08efd39a77757ac5e9dfe781f893316ef06c470af1822b20bbe

    SHA512

    fb929e306ec9c7159153a7f8628dd03a886f61a33984dd62ac2952969a4e6d150050900b89f8bf310efef76166832c4ddba702236cc003b4f348f9852b6c6446

    Download Submit

  • C:\Windows\Aqiyq.exe
    Filesize

    505KB

    MD5

    981e8d229c6bedf67191f2450ac5baf0

    SHA1

    e3180f2e0f53dab7d914ef2f8bdeff2f614048eb

    SHA256

    bcc462a70a45b57a48a85ee6fe1767c7336112f47b556bcd50d708edd03dc48c

    SHA512

    ad56c83c105a18fc97891b2d1f4f09fdc0d0a71e4cfb00b45b6a7ae245c2efc979c3e94400b714e4a47f918e867f008df998167a4eb522010d863007b03f0f07

    Download Submit

  • memory/2508-62-0x0000000010000000-0x00000000101B0000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4024-37-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-35-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-13-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-16-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-18-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-21-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-23-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-27-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-30-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-32-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-25-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-2-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-39-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-11-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-41-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-44-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-49-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-46-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-52-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-51-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-8-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-6-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-0-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-3-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4024-1-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4952-78-0x0000000010000000-0x00000000101B0000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5056-70-0x0000000010000000-0x00000000101B0000-memory.dmp

    Filesize

    1.7MB

    Download