Analysis
-
max time kernel
121s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
04-01-2022 05:41
Static task
static1
Behavioral task
behavioral1
Sample
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
Resource
win7-en-20211208
General
-
Target
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe
-
Size
69KB
-
MD5
ba2b85a44c23769cc557586d9269996d
-
SHA1
7ec436400772e3a1ee77ac99fb7fdb5679484ce3
-
SHA256
2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc
-
SHA512
3032f4e80e69831701e36c72230743e722e886376a526f047b2bd006a4d684f3f8a1c4d7eb8867536ed3a697c19f51ece1bb2c8ccbeda333d2eb38088a187183
Malware Config
Signatures
-
resource yara_rule purplefox_dropper behavioral2/files/0x000500000001ab5d-122.dat purplefox_dropper behavioral2/files/0x000500000001ab6a-127.dat purplefox_dropper behavioral2/memory/2364-130-0x00000001803F7000-0x0000000180547000-memory.dmp purplefox_dropper behavioral2/memory/2364-132-0x0000000002D40000-0x000000000355D000-memory.dmp purplefox_dropper -
resource yara_rule purplefox_rootkit behavioral2/files/0x000500000001ab5d-122.dat purplefox_rootkit behavioral2/files/0x000500000001ab6a-127.dat purplefox_rootkit behavioral2/memory/2364-132-0x0000000002D40000-0x000000000355D000-memory.dmp purplefox_rootkit -
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
-
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
-
Executes dropped EXE 2 IoCs
pid Process 3004 7zz.exe 2364 ojbkcg.exe -
Loads dropped DLL 1 IoCs
pid Process 2364 ojbkcg.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: ojbkcg.exe File opened (read-only) \??\E: ojbkcg.exe File opened (read-only) \??\G: ojbkcg.exe File opened (read-only) \??\H: ojbkcg.exe File opened (read-only) \??\O: ojbkcg.exe File opened (read-only) \??\R: ojbkcg.exe File opened (read-only) \??\T: ojbkcg.exe File opened (read-only) \??\X: ojbkcg.exe File opened (read-only) \??\J: ojbkcg.exe File opened (read-only) \??\I: ojbkcg.exe File opened (read-only) \??\L: ojbkcg.exe File opened (read-only) \??\M: ojbkcg.exe File opened (read-only) \??\P: ojbkcg.exe File opened (read-only) \??\S: ojbkcg.exe File opened (read-only) \??\W: ojbkcg.exe File opened (read-only) \??\Y: ojbkcg.exe File opened (read-only) \??\B: ojbkcg.exe File opened (read-only) \??\F: ojbkcg.exe File opened (read-only) \??\K: ojbkcg.exe File opened (read-only) \??\N: ojbkcg.exe File opened (read-only) \??\Q: ojbkcg.exe File opened (read-only) \??\U: ojbkcg.exe File opened (read-only) \??\V: ojbkcg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ojbkcg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ojbkcg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2460 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 2460 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe 2364 ojbkcg.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3004 2460 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 70 PID 2460 wrote to memory of 3004 2460 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 70 PID 2460 wrote to memory of 3004 2460 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 70 PID 2460 wrote to memory of 2364 2460 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 72 PID 2460 wrote to memory of 2364 2460 2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe"C:\Users\Admin\AppData\Local\Temp\2122180333641dee3a0ef7b9966ef035dc010e9857867c247517fe4ec8f566cc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Public\Videos\1639328204\7zz.exe"C:\Users\Public\Videos\1639328204\7zz.exe" X -ep2 C:\Users\Public\Videos\1639328204\1.rar C:\Users\Public\Videos\16393282042⤵
- Executes dropped EXE
PID:3004
-
-
C:\Users\Public\Videos\1639328204\ojbkcg.exe"C:\Users\Public\Videos\1639328204\ojbkcg.exe" -a2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2364
-