Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 07:11
Behavioral task
behavioral1
Sample
WhatsAppSetupr.exe
Resource
win7-en-20211208
General
-
Target
WhatsAppSetupr.exe
-
Size
117KB
-
MD5
83e71f37df8557d87bb44c4c64396802
-
SHA1
e1ceb77f3a29cd314d047d1bf6e2f984d81bde4d
-
SHA256
d9c73323bc1f6fb31137e8e0ecec6bbcad6d91e10bccf06948e0d3446e05c23a
-
SHA512
ddd4c57fbfecfd4398fd5b9b5c628f542d6bf2adb550d8b9748d56c1075ebbc12e15aff72c2b62008d51bc5640b189bb87935f254fc8b1ccbc620f3970aa3c49
Malware Config
Extracted
purplefox
Signatures
-
Processes:
yara_rule purplefox_dropper C:\Users\Public\Videos\1642407077\svchost.txt purplefox_dropper C:\ProgramData\svchost.txt purplefox_dropper behavioral2/memory/1176-128-0x00000243358F0000-0x000002433612E000-memory.dmp purplefox_dropper -
Processes:
yara_rule purplefox_rootkit C:\Users\Public\Videos\1642407077\svchost.txt purplefox_rootkit C:\ProgramData\svchost.txt purplefox_rootkit behavioral2/memory/1176-128-0x00000243358F0000-0x000002433612E000-memory.dmp purplefox_rootkit -
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
-
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
-
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Checkin
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Checkin
-
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
-
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
-
Executes dropped EXE 2 IoCs
Processes:
7zz.exeojbkcg.exepid process 3024 7zz.exe 1176 ojbkcg.exe -
Loads dropped DLL 1 IoCs
Processes:
ojbkcg.exepid process 1176 ojbkcg.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ojbkcg.exedescription ioc process File opened (read-only) \??\E: ojbkcg.exe File opened (read-only) \??\H: ojbkcg.exe File opened (read-only) \??\I: ojbkcg.exe File opened (read-only) \??\J: ojbkcg.exe File opened (read-only) \??\M: ojbkcg.exe File opened (read-only) \??\Q: ojbkcg.exe File opened (read-only) \??\U: ojbkcg.exe File opened (read-only) \??\V: ojbkcg.exe File opened (read-only) \??\F: ojbkcg.exe File opened (read-only) \??\R: ojbkcg.exe File opened (read-only) \??\G: ojbkcg.exe File opened (read-only) \??\N: ojbkcg.exe File opened (read-only) \??\O: ojbkcg.exe File opened (read-only) \??\X: ojbkcg.exe File opened (read-only) \??\B: ojbkcg.exe File opened (read-only) \??\K: ojbkcg.exe File opened (read-only) \??\L: ojbkcg.exe File opened (read-only) \??\P: ojbkcg.exe File opened (read-only) \??\S: ojbkcg.exe File opened (read-only) \??\T: ojbkcg.exe File opened (read-only) \??\W: ojbkcg.exe File opened (read-only) \??\Y: ojbkcg.exe File opened (read-only) \??\Z: ojbkcg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ojbkcg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ojbkcg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ojbkcg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WhatsAppSetupr.exeojbkcg.exepid process 2600 WhatsAppSetupr.exe 2600 WhatsAppSetupr.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe 1176 ojbkcg.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WhatsAppSetupr.exedescription pid process target process PID 2600 wrote to memory of 3024 2600 WhatsAppSetupr.exe 7zz.exe PID 2600 wrote to memory of 3024 2600 WhatsAppSetupr.exe 7zz.exe PID 2600 wrote to memory of 3024 2600 WhatsAppSetupr.exe 7zz.exe PID 2600 wrote to memory of 1176 2600 WhatsAppSetupr.exe ojbkcg.exe PID 2600 wrote to memory of 1176 2600 WhatsAppSetupr.exe ojbkcg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhatsAppSetupr.exe"C:\Users\Admin\AppData\Local\Temp\WhatsAppSetupr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Public\Videos\1642407077\7zz.exe"C:\Users\Public\Videos\1642407077\7zz.exe" X -ep2 C:\Users\Public\Videos\1642407077\1.rar C:\Users\Public\Videos\16424070772⤵
- Executes dropped EXE
PID:3024
-
-
C:\Users\Public\Videos\1642407077\ojbkcg.exe"C:\Users\Public\Videos\1642407077\ojbkcg.exe" -a2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1176
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.2MB
MD50d2422983c8b4cafec017b7dc3399aff
SHA1d6dd2c41b665b32290e78394769e7b6e39585dfa
SHA25682490fa7297344ca9c37f901cbc5c43c5db51bba4b4a390589db0973d70475e4
SHA512e8cdea9b3c31be2c0256e6c3f3a376b359cf64f34061b49669fa1a9cb3602137e8a6076ec600b113569a5a8c4fed2e921074071ba6cfd601b4f6428a1f8989f1
-
Filesize
2.4MB
MD52e7da7811dad552ccf70f1709bc63217
SHA17b70d762a8dc03c8a21aff160f05980cddea1cc7
SHA2564aedfa5435009376cefe26b5c4d6f27664937a60acdbc2370495133ffea0ae37
SHA5129f17ef61cb59c001e23ac1906aab3ac3a301b58b32a1886eadb8ace56fac571257f41ab3c26bde222dea9461768711af47fa9c29064786fb38c1967ba277b4a1
-
Filesize
176KB
MD5d618435291031e2b7e9320979e38a66d
SHA10a020603f9f532f404699b3429514691c1d2e3a8
SHA25623562138f7bf1524b009520abadd3a2450c73955891ac92c67fd66dc59de66de
SHA5120075abdbe7c75c32677aaff1a67adbe0db611e75879171cd5f6e2bdebbbdf8e9d1ab20bb192fae8f7f3aa98526d02f79f29b9ab96f5dca3d144a51cb2ac7dbd9
-
Filesize
572KB
MD5f2ae502d448cfb81a5f40a9368d99b1a
SHA1f849be86e9e7ced0acd51a68f92992b8090d08a5
SHA25607ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56
SHA5129f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be
-
Filesize
90KB
MD5b279a37b23d236e4cea9f950e36404d3
SHA126c3b45ba41870af8c69308a5af59e319060fefe
SHA2563a883d751c5eb2fa4c3121313fe1db49043cea44af200a6e4295de13794f8878
SHA51292ecc11fa19894369c6aca7d86ac4eca51b89829871b7358a6a5fef2a22de49ef7fcc6a404b278d19fcacf37e6a577764a05b3eab75fee9bdad18b1478b08ed4
-
Filesize
90KB
MD5b279a37b23d236e4cea9f950e36404d3
SHA126c3b45ba41870af8c69308a5af59e319060fefe
SHA2563a883d751c5eb2fa4c3121313fe1db49043cea44af200a6e4295de13794f8878
SHA51292ecc11fa19894369c6aca7d86ac4eca51b89829871b7358a6a5fef2a22de49ef7fcc6a404b278d19fcacf37e6a577764a05b3eab75fee9bdad18b1478b08ed4
-
Filesize
45KB
MD5c36bb659f08f046b139c8d1b980bf1ac
SHA1dd3247b225a8da3161f76055f31cbc5f64a66086
SHA256405f03534be8b45185695f68deb47d4daf04dcd6df9d351ca6831d3721b1efc4
SHA5123eeae6a3b424fa1709b4443f625ee99fa2d2861661214b868d36bf5a63c0aaac61ad3bdd9c4b18cb9d820ef89653787df812289d31d65415c4dd08fd45d0c73f
-
Filesize
8.2MB
MD50d2422983c8b4cafec017b7dc3399aff
SHA1d6dd2c41b665b32290e78394769e7b6e39585dfa
SHA25682490fa7297344ca9c37f901cbc5c43c5db51bba4b4a390589db0973d70475e4
SHA512e8cdea9b3c31be2c0256e6c3f3a376b359cf64f34061b49669fa1a9cb3602137e8a6076ec600b113569a5a8c4fed2e921074071ba6cfd601b4f6428a1f8989f1
-
Filesize
176KB
MD5d618435291031e2b7e9320979e38a66d
SHA10a020603f9f532f404699b3429514691c1d2e3a8
SHA25623562138f7bf1524b009520abadd3a2450c73955891ac92c67fd66dc59de66de
SHA5120075abdbe7c75c32677aaff1a67adbe0db611e75879171cd5f6e2bdebbbdf8e9d1ab20bb192fae8f7f3aa98526d02f79f29b9ab96f5dca3d144a51cb2ac7dbd9