Overview

overview

10

Static

static

10

WhatsAppSetupr.exe

windows7_x64

10

WhatsAppSetupr.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    14-01-2022 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WhatsAppSetupr.exe

  • Size

    117KB

  • MD5

    83e71f37df8557d87bb44c4c64396802

  • SHA1

    e1ceb77f3a29cd314d047d1bf6e2f984d81bde4d

  • SHA256

    d9c73323bc1f6fb31137e8e0ecec6bbcad6d91e10bccf06948e0d3446e05c23a

  • SHA512

    ddd4c57fbfecfd4398fd5b9b5c628f542d6bf2adb550d8b9748d56c1075ebbc12e15aff72c2b62008d51bc5640b189bb87935f254fc8b1ccbc620f3970aa3c49

Score
10/10
purplefox loaderdropperloaderrootkitsuricatatrojan

Malware Config

Extracted

Family

purplefox

Signatures

  • Detect PurpleFox Dropper 4 IoCs

    Detect PurpleFox Dropper.

    dropper loader
  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata
  • suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata
  • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Checkin

    suricata: ET MALWARE PurpleFox Backdoor/Rootkit Checkin

    suricata
  • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

    suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

    suricata
  • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

    suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

    suricata
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WhatsAppSetupr.exe
    "C:\Users\Admin\AppData\Local\Temp\WhatsAppSetupr.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Public\Videos\1642407077\7zz.exe
      "C:\Users\Public\Videos\1642407077\7zz.exe" X -ep2 C:\Users\Public\Videos\1642407077\1.rar C:\Users\Public\Videos\1642407077
      2⤵
      • Executes dropped EXE
      PID:3024
    • C:\Users\Public\Videos\1642407077\ojbkcg.exe
      "C:\Users\Public\Videos\1642407077\ojbkcg.exe" -a
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\svchost.txt
    Filesize

    8.2MB

    MD5

    0d2422983c8b4cafec017b7dc3399aff

    SHA1

    d6dd2c41b665b32290e78394769e7b6e39585dfa

    SHA256

    82490fa7297344ca9c37f901cbc5c43c5db51bba4b4a390589db0973d70475e4

    SHA512

    e8cdea9b3c31be2c0256e6c3f3a376b359cf64f34061b49669fa1a9cb3602137e8a6076ec600b113569a5a8c4fed2e921074071ba6cfd601b4f6428a1f8989f1

    Download Submit
  • C:\Users\Public\Videos\1642407077\1.rar
    Filesize

    2.4MB

    MD5

    2e7da7811dad552ccf70f1709bc63217

    SHA1

    7b70d762a8dc03c8a21aff160f05980cddea1cc7

    SHA256

    4aedfa5435009376cefe26b5c4d6f27664937a60acdbc2370495133ffea0ae37

    SHA512

    9f17ef61cb59c001e23ac1906aab3ac3a301b58b32a1886eadb8ace56fac571257f41ab3c26bde222dea9461768711af47fa9c29064786fb38c1967ba277b4a1

    Download Submit
  • C:\Users\Public\Videos\1642407077\360.tct
    Filesize

    176KB

    MD5

    d618435291031e2b7e9320979e38a66d

    SHA1

    0a020603f9f532f404699b3429514691c1d2e3a8

    SHA256

    23562138f7bf1524b009520abadd3a2450c73955891ac92c67fd66dc59de66de

    SHA512

    0075abdbe7c75c32677aaff1a67adbe0db611e75879171cd5f6e2bdebbbdf8e9d1ab20bb192fae8f7f3aa98526d02f79f29b9ab96f5dca3d144a51cb2ac7dbd9

    Download Submit
  • C:\Users\Public\Videos\1642407077\7zz.exe
    Filesize

    572KB

    MD5

    f2ae502d448cfb81a5f40a9368d99b1a

    SHA1

    f849be86e9e7ced0acd51a68f92992b8090d08a5

    SHA256

    07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

    SHA512

    9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

    Download Submit
  • C:\Users\Public\Videos\1642407077\ojbkcg.exe
    Filesize

    90KB

    MD5

    b279a37b23d236e4cea9f950e36404d3

    SHA1

    26c3b45ba41870af8c69308a5af59e319060fefe

    SHA256

    3a883d751c5eb2fa4c3121313fe1db49043cea44af200a6e4295de13794f8878

    SHA512

    92ecc11fa19894369c6aca7d86ac4eca51b89829871b7358a6a5fef2a22de49ef7fcc6a404b278d19fcacf37e6a577764a05b3eab75fee9bdad18b1478b08ed4

    Download Submit
  • C:\Users\Public\Videos\1642407077\ojbkcg.exe
    Filesize

    90KB

    MD5

    b279a37b23d236e4cea9f950e36404d3

    SHA1

    26c3b45ba41870af8c69308a5af59e319060fefe

    SHA256

    3a883d751c5eb2fa4c3121313fe1db49043cea44af200a6e4295de13794f8878

    SHA512

    92ecc11fa19894369c6aca7d86ac4eca51b89829871b7358a6a5fef2a22de49ef7fcc6a404b278d19fcacf37e6a577764a05b3eab75fee9bdad18b1478b08ed4

    Download Submit
  • C:\Users\Public\Videos\1642407077\rundll3222.exe
    Filesize

    45KB

    MD5

    c36bb659f08f046b139c8d1b980bf1ac

    SHA1

    dd3247b225a8da3161f76055f31cbc5f64a66086

    SHA256

    405f03534be8b45185695f68deb47d4daf04dcd6df9d351ca6831d3721b1efc4

    SHA512

    3eeae6a3b424fa1709b4443f625ee99fa2d2861661214b868d36bf5a63c0aaac61ad3bdd9c4b18cb9d820ef89653787df812289d31d65415c4dd08fd45d0c73f

    Download Submit
  • C:\Users\Public\Videos\1642407077\svchost.txt
    Filesize

    8.2MB

    MD5

    0d2422983c8b4cafec017b7dc3399aff

    SHA1

    d6dd2c41b665b32290e78394769e7b6e39585dfa

    SHA256

    82490fa7297344ca9c37f901cbc5c43c5db51bba4b4a390589db0973d70475e4

    SHA512

    e8cdea9b3c31be2c0256e6c3f3a376b359cf64f34061b49669fa1a9cb3602137e8a6076ec600b113569a5a8c4fed2e921074071ba6cfd601b4f6428a1f8989f1

    Download Submit
  • \Users\Public\Videos\1642407077\360.tct
    Filesize

    176KB

    MD5

    d618435291031e2b7e9320979e38a66d

    SHA1

    0a020603f9f532f404699b3429514691c1d2e3a8

    SHA256

    23562138f7bf1524b009520abadd3a2450c73955891ac92c67fd66dc59de66de

    SHA512

    0075abdbe7c75c32677aaff1a67adbe0db611e75879171cd5f6e2bdebbbdf8e9d1ab20bb192fae8f7f3aa98526d02f79f29b9ab96f5dca3d144a51cb2ac7dbd9

    Download Submit
  • memory/1176-133-0x000000018085F000-0x0000000180860000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-124-0x0000000000000000-mapping.dmp
    Download
  • memory/1176-128-0x00000243358F0000-0x000002433612E000-memory.dmp
    Filesize

    8.2MB

    Download
  • memory/1176-129-0x0000000180001000-0x00000001803F0000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1176-130-0x00000001803F0000-0x00000001803F4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1176-131-0x00000001803F4000-0x0000000180543000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1176-132-0x0000000180836000-0x000000018085F000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1176-134-0x0000024336AD1000-0x0000024336D7C000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/1176-135-0x0000024336D7C000-0x0000024336F74000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1176-136-0x0000024336AD1000-0x0000024336D7C000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/3024-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3024-117-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3024-118-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
    Filesize

    4KB

    Download