Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04-01-2022 05:41
Static task
static1
Behavioral task
behavioral1
Sample
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
Resource
win7-en-20211208
General
-
Target
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
-
Size
69KB
-
MD5
ba2b85a44c23769cc557586d9269996d
-
SHA1
7ec436400772e3a1ee77ac99fb7fdb5679484ce3
-
SHA256
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc
-
SHA512
3032f4e80e69831701e36c72230743e722e886376a526f047b2bd006a4d684f3f8a1c4d7eb8867536ed3a697c19f51ece1bb2c8ccbeda333d2eb38088a187183
Malware Config
Signatures
-
Processes:
yara_rule purplefox_dropper purplefox_dropper C:\Users\Public\Videos\1641278467\svchost.txt purplefox_dropper C:\ProgramData\svchost.txt purplefox_dropper behavioral1/memory/1100-71-0x00000001803F7000-0x0000000180547000-memory.dmp purplefox_dropper behavioral1/memory/1100-74-0x0000000001E70000-0x000000000268D000-memory.dmp purplefox_dropper -
Processes:
yara_rule purplefox_rootkit purplefox_rootkit C:\Users\Public\Videos\1641278467\svchost.txt purplefox_rootkit C:\ProgramData\svchost.txt purplefox_rootkit behavioral1/memory/1100-74-0x0000000001E70000-0x000000000268D000-memory.dmp purplefox_rootkit -
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
-
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
-
Executes dropped EXE 2 IoCs
Processes:
7zz.exeojbkcg.exepid process 2028 7zz.exe 1100 ojbkcg.exe -
Loads dropped DLL 3 IoCs
Processes:
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exeojbkcg.exepid process 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 1100 ojbkcg.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ojbkcg.exedescription ioc process File opened (read-only) \??\M: ojbkcg.exe File opened (read-only) \??\N: ojbkcg.exe File opened (read-only) \??\O: ojbkcg.exe File opened (read-only) \??\T: ojbkcg.exe File opened (read-only) \??\Z: ojbkcg.exe File opened (read-only) \??\F: ojbkcg.exe File opened (read-only) \??\S: ojbkcg.exe File opened (read-only) \??\U: ojbkcg.exe File opened (read-only) \??\W: ojbkcg.exe File opened (read-only) \??\V: ojbkcg.exe File opened (read-only) \??\X: ojbkcg.exe File opened (read-only) \??\B: ojbkcg.exe File opened (read-only) \??\E: ojbkcg.exe File opened (read-only) \??\J: ojbkcg.exe File opened (read-only) \??\P: ojbkcg.exe File opened (read-only) \??\L: ojbkcg.exe File opened (read-only) \??\Q: ojbkcg.exe File opened (read-only) \??\R: ojbkcg.exe File opened (read-only) \??\Y: ojbkcg.exe File opened (read-only) \??\G: ojbkcg.exe File opened (read-only) \??\H: ojbkcg.exe File opened (read-only) \??\I: ojbkcg.exe File opened (read-only) \??\K: ojbkcg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ojbkcg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ojbkcg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ojbkcg.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exeojbkcg.exepid process 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe 1100 ojbkcg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exedescription pid process target process PID 1704 wrote to memory of 2028 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 7zz.exe PID 1704 wrote to memory of 2028 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 7zz.exe PID 1704 wrote to memory of 2028 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 7zz.exe PID 1704 wrote to memory of 2028 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 7zz.exe PID 1704 wrote to memory of 1100 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe ojbkcg.exe PID 1704 wrote to memory of 1100 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe ojbkcg.exe PID 1704 wrote to memory of 1100 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe ojbkcg.exe PID 1704 wrote to memory of 1100 1704 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe ojbkcg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe"C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Public\Videos\1641278467\7zz.exe"C:\Users\Public\Videos\1641278467\7zz.exe" X -ep2 C:\Users\Public\Videos\1641278467\1.rar C:\Users\Public\Videos\16412784672⤵
- Executes dropped EXE
PID:2028
-
-
C:\Users\Public\Videos\1641278467\ojbkcg.exe"C:\Users\Public\Videos\1641278467\ojbkcg.exe" -a2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e4bdbedcda09a11361972ad226353dca
SHA1486437132fd23cccc922ecda64ad2990d90d5fe5
SHA256a42ca471af4a3b3605cfe3a4ad15089baa0c582745129658cb1bce2b8aced391
SHA5123b6e93165f9f9462a6c0527db408872226ad6940e2828ba5d6cd7ade55282d112fb033cdb2c99d24b7e3a8840d1206395a7104790d315e44c86cfc5cc7ae2fa6
-
MD5
690b5ea1cbe96a7646f71f8de8d05e40
SHA1623fdf4c3ed679625d960042ec4fdb4d84bd88cf
SHA256fd04719e1ca6f48dc5fc0afdf5835f5e7749be957ed9ad1c99953c25fa4f4142
SHA512dbbb45fe49bedf1a4b234b6bda4ed6d162ed74922dce275891a32453d415a589ce2883d4d6cb88670b15772dac07cb0fb8f5b1437065e07549934f3ee3214148
-
MD5
3958789b66c71083980dc0dd1d4c6af3
SHA1ee358e2916ad66bda83fcad244188d9c7585b50c
SHA256a042c6d51a1b197a946af434439621ff9a7230381a6ae4d311ab3d954fe67a18
SHA51200e453403a9f8a4d08831efddc91c88d433fd62ea22764bce3015087890d677ac05f6d7cb2648c4ecee85498cf442bb858213512cb85a54940b566203b51afd0
-
MD5
f2ae502d448cfb81a5f40a9368d99b1a
SHA1f849be86e9e7ced0acd51a68f92992b8090d08a5
SHA25607ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56
SHA5129f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be
-
MD5
89658291c24f32d1e0c85c257aa2cdce
SHA11ca3598a451b55a882199ae376a1a64d5539baed
SHA256d557386ec5241dce148d4dadbba4f49425cbbdfcf3a5ab089858ba18ff20fc47
SHA5122c08fdbaa7dc2c46707a395fb5ebdf3d7d2cabe6a4d7fae0aee1aa0867cd58866d42e94623f1d1371f798b1bf6a8304d7322f9eea7c249ed8a096623d815da39
-
MD5
89658291c24f32d1e0c85c257aa2cdce
SHA11ca3598a451b55a882199ae376a1a64d5539baed
SHA256d557386ec5241dce148d4dadbba4f49425cbbdfcf3a5ab089858ba18ff20fc47
SHA5122c08fdbaa7dc2c46707a395fb5ebdf3d7d2cabe6a4d7fae0aee1aa0867cd58866d42e94623f1d1371f798b1bf6a8304d7322f9eea7c249ed8a096623d815da39
-
MD5
c36bb659f08f046b139c8d1b980bf1ac
SHA1dd3247b225a8da3161f76055f31cbc5f64a66086
SHA256405f03534be8b45185695f68deb47d4daf04dcd6df9d351ca6831d3721b1efc4
SHA5123eeae6a3b424fa1709b4443f625ee99fa2d2861661214b868d36bf5a63c0aaac61ad3bdd9c4b18cb9d820ef89653787df812289d31d65415c4dd08fd45d0c73f
-
MD5
e4bdbedcda09a11361972ad226353dca
SHA1486437132fd23cccc922ecda64ad2990d90d5fe5
SHA256a42ca471af4a3b3605cfe3a4ad15089baa0c582745129658cb1bce2b8aced391
SHA5123b6e93165f9f9462a6c0527db408872226ad6940e2828ba5d6cd7ade55282d112fb033cdb2c99d24b7e3a8840d1206395a7104790d315e44c86cfc5cc7ae2fa6
-
MD5
3958789b66c71083980dc0dd1d4c6af3
SHA1ee358e2916ad66bda83fcad244188d9c7585b50c
SHA256a042c6d51a1b197a946af434439621ff9a7230381a6ae4d311ab3d954fe67a18
SHA51200e453403a9f8a4d08831efddc91c88d433fd62ea22764bce3015087890d677ac05f6d7cb2648c4ecee85498cf442bb858213512cb85a54940b566203b51afd0
-
MD5
f2ae502d448cfb81a5f40a9368d99b1a
SHA1f849be86e9e7ced0acd51a68f92992b8090d08a5
SHA25607ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56
SHA5129f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be
-
MD5
89658291c24f32d1e0c85c257aa2cdce
SHA11ca3598a451b55a882199ae376a1a64d5539baed
SHA256d557386ec5241dce148d4dadbba4f49425cbbdfcf3a5ab089858ba18ff20fc47
SHA5122c08fdbaa7dc2c46707a395fb5ebdf3d7d2cabe6a4d7fae0aee1aa0867cd58866d42e94623f1d1371f798b1bf6a8304d7322f9eea7c249ed8a096623d815da39