Analysis

  • max time kernel
    121s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    04-01-2022 05:41

General

  • Target

    2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe

  • Size

    69KB

  • MD5

    ba2b85a44c23769cc557586d9269996d

  • SHA1

    7ec436400772e3a1ee77ac99fb7fdb5679484ce3

  • SHA256

    2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc

  • SHA512

    3032f4e80e69831701e36c72230743e722e886376a526f047b2bd006a4d684f3f8a1c4d7eb8867536ed3a697c19f51ece1bb2c8ccbeda333d2eb38088a187183

Malware Config

Signatures

  • Detect PurpleFox Dropper 5 IoCs

    Detect PurpleFox Dropper.

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

  • suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
    "C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Public\Videos\1639328204\7zz.exe
      "C:\Users\Public\Videos\1639328204\7zz.exe" X -ep2 C:\Users\Public\Videos\1639328204\1.rar C:\Users\Public\Videos\1639328204
      2⤵
      • Executes dropped EXE
      PID:3004
    • C:\Users\Public\Videos\1639328204\ojbkcg.exe
      "C:\Users\Public\Videos\1639328204\ojbkcg.exe" -a
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2364

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2364-129-0x00000001803F3000-0x00000001803F7000-memory.dmp

    Filesize

    16KB

  • memory/2364-131-0x0000000180815000-0x000000018083E000-memory.dmp

    Filesize

    164KB

  • memory/2364-128-0x0000000180001000-0x00000001803F3000-memory.dmp

    Filesize

    3.9MB

  • memory/2364-130-0x00000001803F7000-0x0000000180547000-memory.dmp

    Filesize

    1.3MB

  • memory/2364-133-0x000000018083E000-0x000000018083F000-memory.dmp

    Filesize

    4KB

  • memory/2364-132-0x0000000002D40000-0x000000000355D000-memory.dmp

    Filesize

    8.1MB

  • memory/3004-117-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

  • memory/3004-118-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB