purplefox | 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc

General

Target

2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
Size

69KB
MD5

ba2b85a44c23769cc557586d9269996d
SHA1

7ec436400772e3a1ee77ac99fb7fdb5679484ce3
SHA256

2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc
SHA512

3032f4e80e69831701e36c72230743e722e886376a526f047b2bd006a4d684f3f8a1c4d7eb8867536ed3a697c19f51ece1bb2c8ccbeda333d2eb38088a187183

Score

10^/10

purplefox loader dropper rootkit suricata trojan

Malware Config

Signatures

Detect PurpleFox Dropper 6 IoCs

Detect PurpleFox Dropper.

dropper loader

resource	yara_rule
	purplefox_dropper
	purplefox_dropper
behavioral1/files/0x000600000001390e-62.dat	purplefox_dropper
behavioral1/files/0x0005000000014023-68.dat	purplefox_dropper
behavioral1/memory/1100-71-0x00000001803F7000-0x0000000180547000-memory.dmp	purplefox_dropper
behavioral1/memory/1100-74-0x0000000001E70000-0x000000000268D000-memory.dmp	purplefox_dropper

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
	purplefox_rootkit
	purplefox_rootkit
behavioral1/files/0x000600000001390e-62.dat	purplefox_rootkit
behavioral1/files/0x0005000000014023-68.dat	purplefox_rootkit
behavioral1/memory/1100-74-0x0000000001E70000-0x000000000268D000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata

Executes dropped EXE 2 IoCs

pid	Process
2028	7zz.exe
1100	ojbkcg.exe

Loads dropped DLL 3 IoCs

pid	Process
1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
1100	ojbkcg.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	ojbkcg.exe
File opened (read-only)	\??\N:	ojbkcg.exe
File opened (read-only)	\??\O:	ojbkcg.exe
File opened (read-only)	\??\T:	ojbkcg.exe
File opened (read-only)	\??\Z:	ojbkcg.exe
File opened (read-only)	\??\F:	ojbkcg.exe
File opened (read-only)	\??\S:	ojbkcg.exe
File opened (read-only)	\??\U:	ojbkcg.exe
File opened (read-only)	\??\W:	ojbkcg.exe
File opened (read-only)	\??\V:	ojbkcg.exe
File opened (read-only)	\??\X:	ojbkcg.exe
File opened (read-only)	\??\B:	ojbkcg.exe
File opened (read-only)	\??\E:	ojbkcg.exe
File opened (read-only)	\??\J:	ojbkcg.exe
File opened (read-only)	\??\P:	ojbkcg.exe
File opened (read-only)	\??\L:	ojbkcg.exe
File opened (read-only)	\??\Q:	ojbkcg.exe
File opened (read-only)	\??\R:	ojbkcg.exe
File opened (read-only)	\??\Y:	ojbkcg.exe
File opened (read-only)	\??\G:	ojbkcg.exe
File opened (read-only)	\??\H:	ojbkcg.exe
File opened (read-only)	\??\I:	ojbkcg.exe
File opened (read-only)	\??\K:	ojbkcg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ojbkcg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ojbkcg.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe
1100	ojbkcg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2028	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	30
PID 1704 wrote to memory of 2028	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	30
PID 1704 wrote to memory of 2028	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	30
PID 1704 wrote to memory of 2028	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	30
PID 1704 wrote to memory of 1100	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	32
PID 1704 wrote to memory of 1100	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	32
PID 1704 wrote to memory of 1100	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	32
PID 1704 wrote to memory of 1100	1704	2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe	32

C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
"C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Public\Videos\1641278467\7zz.exe
  "C:\Users\Public\Videos\1641278467\7zz.exe" X -ep2 C:\Users\Public\Videos\1641278467\1.rar C:\Users\Public\Videos\1641278467
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Users\Public\Videos\1641278467\ojbkcg.exe
  "C:\Users\Public\Videos\1641278467\ojbkcg.exe" -a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-69-0x0000000180001000-0x00000001803F3000-memory.dmp

Filesize
3.9MB

Download
memory/1100-71-0x00000001803F7000-0x0000000180547000-memory.dmp

Filesize
1.3MB

Download
memory/1100-70-0x00000001803F3000-0x00000001803F7000-memory.dmp

Filesize
16KB

Download
memory/1100-73-0x000000018083E000-0x000000018083F000-memory.dmp

Filesize
4KB

Download
memory/1100-72-0x0000000180815000-0x000000018083E000-memory.dmp

Filesize
164KB

Download
memory/1100-74-0x0000000001E70000-0x000000000268D000-memory.dmp

Filesize
8.1MB

Download
memory/1704-54-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads