Overview

overview

10

Static

static

2122180333...cc.exe

windows7_x64

10

2122180333...cc.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    04-01-2022 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe

  • Size

    69KB

  • MD5

    ba2b85a44c23769cc557586d9269996d

  • SHA1

    7ec436400772e3a1ee77ac99fb7fdb5679484ce3

  • SHA256

    2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc

  • SHA512

    3032f4e80e69831701e36c72230743e722e886376a526f047b2bd006a4d684f3f8a1c4d7eb8867536ed3a697c19f51ece1bb2c8ccbeda333d2eb38088a187183

Score
10/10
purplefox loaderdropperrootkitsuricatatrojan

Malware Config

Signatures

  • Detect PurpleFox Dropper 6 IoCs

    Detect PurpleFox Dropper.

    dropper loader
  • Detect PurpleFox Rootkit 5 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata
  • suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
    "C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Public\Videos\1641278467\7zz.exe
      "C:\Users\Public\Videos\1641278467\7zz.exe" X -ep2 C:\Users\Public\Videos\1641278467\1.rar C:\Users\Public\Videos\1641278467
      2⤵
      • Executes dropped EXE
      PID:2028
    • C:\Users\Public\Videos\1641278467\ojbkcg.exe
      "C:\Users\Public\Videos\1641278467\ojbkcg.exe" -a
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\svchost.txt
    MD5

    e4bdbedcda09a11361972ad226353dca

    SHA1

    486437132fd23cccc922ecda64ad2990d90d5fe5

    SHA256

    a42ca471af4a3b3605cfe3a4ad15089baa0c582745129658cb1bce2b8aced391

    SHA512

    3b6e93165f9f9462a6c0527db408872226ad6940e2828ba5d6cd7ade55282d112fb033cdb2c99d24b7e3a8840d1206395a7104790d315e44c86cfc5cc7ae2fa6

    Download Submit
  • C:\Users\Public\Videos\1641278467\1.rar
    MD5

    690b5ea1cbe96a7646f71f8de8d05e40

    SHA1

    623fdf4c3ed679625d960042ec4fdb4d84bd88cf

    SHA256

    fd04719e1ca6f48dc5fc0afdf5835f5e7749be957ed9ad1c99953c25fa4f4142

    SHA512

    dbbb45fe49bedf1a4b234b6bda4ed6d162ed74922dce275891a32453d415a589ce2883d4d6cb88670b15772dac07cb0fb8f5b1437065e07549934f3ee3214148

    Download Submit
  • C:\Users\Public\Videos\1641278467\360.tct
    MD5

    3958789b66c71083980dc0dd1d4c6af3

    SHA1

    ee358e2916ad66bda83fcad244188d9c7585b50c

    SHA256

    a042c6d51a1b197a946af434439621ff9a7230381a6ae4d311ab3d954fe67a18

    SHA512

    00e453403a9f8a4d08831efddc91c88d433fd62ea22764bce3015087890d677ac05f6d7cb2648c4ecee85498cf442bb858213512cb85a54940b566203b51afd0

    Download Submit
  • C:\Users\Public\Videos\1641278467\7zz.exe
    MD5

    f2ae502d448cfb81a5f40a9368d99b1a

    SHA1

    f849be86e9e7ced0acd51a68f92992b8090d08a5

    SHA256

    07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

    SHA512

    9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

    Download Submit
  • C:\Users\Public\Videos\1641278467\ojbkcg.exe
    MD5

    89658291c24f32d1e0c85c257aa2cdce

    SHA1

    1ca3598a451b55a882199ae376a1a64d5539baed

    SHA256

    d557386ec5241dce148d4dadbba4f49425cbbdfcf3a5ab089858ba18ff20fc47

    SHA512

    2c08fdbaa7dc2c46707a395fb5ebdf3d7d2cabe6a4d7fae0aee1aa0867cd58866d42e94623f1d1371f798b1bf6a8304d7322f9eea7c249ed8a096623d815da39

    Download Submit
  • C:\Users\Public\Videos\1641278467\ojbkcg.exe
    MD5

    89658291c24f32d1e0c85c257aa2cdce

    SHA1

    1ca3598a451b55a882199ae376a1a64d5539baed

    SHA256

    d557386ec5241dce148d4dadbba4f49425cbbdfcf3a5ab089858ba18ff20fc47

    SHA512

    2c08fdbaa7dc2c46707a395fb5ebdf3d7d2cabe6a4d7fae0aee1aa0867cd58866d42e94623f1d1371f798b1bf6a8304d7322f9eea7c249ed8a096623d815da39

    Download Submit
  • C:\Users\Public\Videos\1641278467\rundll3222.exe
    MD5

    c36bb659f08f046b139c8d1b980bf1ac

    SHA1

    dd3247b225a8da3161f76055f31cbc5f64a66086

    SHA256

    405f03534be8b45185695f68deb47d4daf04dcd6df9d351ca6831d3721b1efc4

    SHA512

    3eeae6a3b424fa1709b4443f625ee99fa2d2861661214b868d36bf5a63c0aaac61ad3bdd9c4b18cb9d820ef89653787df812289d31d65415c4dd08fd45d0c73f

    Download Submit
  • C:\Users\Public\Videos\1641278467\svchost.txt
    MD5

    e4bdbedcda09a11361972ad226353dca

    SHA1

    486437132fd23cccc922ecda64ad2990d90d5fe5

    SHA256

    a42ca471af4a3b3605cfe3a4ad15089baa0c582745129658cb1bce2b8aced391

    SHA512

    3b6e93165f9f9462a6c0527db408872226ad6940e2828ba5d6cd7ade55282d112fb033cdb2c99d24b7e3a8840d1206395a7104790d315e44c86cfc5cc7ae2fa6

    Download Submit
  • \Users\Public\Videos\1641278467\360.tct
    MD5

    3958789b66c71083980dc0dd1d4c6af3

    SHA1

    ee358e2916ad66bda83fcad244188d9c7585b50c

    SHA256

    a042c6d51a1b197a946af434439621ff9a7230381a6ae4d311ab3d954fe67a18

    SHA512

    00e453403a9f8a4d08831efddc91c88d433fd62ea22764bce3015087890d677ac05f6d7cb2648c4ecee85498cf442bb858213512cb85a54940b566203b51afd0

    Download Submit
  • \Users\Public\Videos\1641278467\7zz.exe
    MD5

    f2ae502d448cfb81a5f40a9368d99b1a

    SHA1

    f849be86e9e7ced0acd51a68f92992b8090d08a5

    SHA256

    07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

    SHA512

    9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

    Download Submit
  • \Users\Public\Videos\1641278467\ojbkcg.exe
    MD5

    89658291c24f32d1e0c85c257aa2cdce

    SHA1

    1ca3598a451b55a882199ae376a1a64d5539baed

    SHA256

    d557386ec5241dce148d4dadbba4f49425cbbdfcf3a5ab089858ba18ff20fc47

    SHA512

    2c08fdbaa7dc2c46707a395fb5ebdf3d7d2cabe6a4d7fae0aee1aa0867cd58866d42e94623f1d1371f798b1bf6a8304d7322f9eea7c249ed8a096623d815da39

    Download Submit
  • memory/1100-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-69-0x0000000180001000-0x00000001803F3000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1100-71-0x00000001803F7000-0x0000000180547000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1100-70-0x00000001803F3000-0x00000001803F7000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1100-73-0x000000018083E000-0x000000018083F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1100-72-0x0000000180815000-0x000000018083E000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1100-74-0x0000000001E70000-0x000000000268D000-memory.dmp
    Filesize

    8.1MB

    Download
  • memory/1704-54-0x0000000075F91000-0x0000000075F93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2028-56-0x0000000000000000-mapping.dmp
    Download