Analysis
-
max time kernel
61s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
f373ebb32b2a836b78f932fd436ec49a.exe
Resource
win7-en-20211208
General
-
Target
f373ebb32b2a836b78f932fd436ec49a.exe
-
Size
492KB
-
MD5
f373ebb32b2a836b78f932fd436ec49a
-
SHA1
fdf344a3d5684433e689b61de782d5bd29f185b9
-
SHA256
47d178214e35dc1d7dca9886abd3fc3e715a934c5e8540e9f0879d5d1c8addee
-
SHA512
b5fadc8d050d2bae9b1f657f33d8b23d6ac0eb39fb962a64059fe5e39c73a85e5f998a53622e06811616c55d037b115a853794841a2f16354b65af3ca1ffdb48
Malware Config
Signatures
-
Processes:
yara_rule purplefox_dropper C:\Users\Public\Videos\1642583230\svchost.txt purplefox_dropper -
Processes:
yara_rule purplefox_rootkit purplefox_rootkit C:\Users\Public\Videos\1642583230\svchost.txt purplefox_rootkit -
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
-
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
-
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
-
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
-
Executes dropped EXE 2 IoCs
Processes:
7zz.exeojbkcg.exepid process 2284 7zz.exe 2232 ojbkcg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f373ebb32b2a836b78f932fd436ec49a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation f373ebb32b2a836b78f932fd436ec49a.exe -
Loads dropped DLL 1 IoCs
Processes:
ojbkcg.exepid process 2232 ojbkcg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f373ebb32b2a836b78f932fd436ec49a.exepid process 3196 f373ebb32b2a836b78f932fd436ec49a.exe 3196 f373ebb32b2a836b78f932fd436ec49a.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
f373ebb32b2a836b78f932fd436ec49a.exedescription pid process target process PID 3196 wrote to memory of 2284 3196 f373ebb32b2a836b78f932fd436ec49a.exe 7zz.exe PID 3196 wrote to memory of 2284 3196 f373ebb32b2a836b78f932fd436ec49a.exe 7zz.exe PID 3196 wrote to memory of 2284 3196 f373ebb32b2a836b78f932fd436ec49a.exe 7zz.exe PID 3196 wrote to memory of 2232 3196 f373ebb32b2a836b78f932fd436ec49a.exe ojbkcg.exe PID 3196 wrote to memory of 2232 3196 f373ebb32b2a836b78f932fd436ec49a.exe ojbkcg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f373ebb32b2a836b78f932fd436ec49a.exe"C:\Users\Admin\AppData\Local\Temp\f373ebb32b2a836b78f932fd436ec49a.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Public\Videos\1642583230\7zz.exe"C:\Users\Public\Videos\1642583230\7zz.exe" X -ep2 C:\Users\Public\Videos\1642583230\1.rar C:\Users\Public\Videos\16425832302⤵
- Executes dropped EXE
PID:2284
-
-
C:\Users\Public\Videos\1642583230\ojbkcg.exe"C:\Users\Public\Videos\1642583230\ojbkcg.exe" -a2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD56701deefc1c350b807e5f5626f6ec53b
SHA1ff15407103d5d183b7871c2f9203fdfdeb0c0be0
SHA2566dd51079baa905f98be351f2095685bd5776d13148d69e3fdd64062dcff16a89
SHA51217caa602ede4057c02904ed2bee1c4bc3c0b41e833c861fbd732b80c0722074d088d08d7ffd56f545b54d994be349eaabee3abb23b7e9d127c1b5562db4a0b39
-
Filesize
2.6MB
MD5ba08eccd1f00c25dfd65f666896893b7
SHA1e5ed83a57d12ba1e4df10483ce41f743807b2b22
SHA256f5806b666f9b416c0f649a53748d79a4e392988c09410689e032eeff71973620
SHA5120b295c2089b966f83cc2f51a599af692f74539f7a1e071113dfd13afd31f9bdd2bc8d2366cfc75c79cd90bc5067638ce48f8f1ff1e47eb6494c528bfef03ffb0
-
Filesize
254KB
MD5ccdffd31fa73286c21a7bef5fd899f15
SHA10a1df0830c295ae914fb2094f5eb9a5e8d6746cf
SHA256d70c4f4812884762d0c17060985d38bc24b2a777b7f3148d1bbabdacf4cb4c58
SHA512a865a1eab6b9a7ad8fd2860843536276548cdad3834918772ab5ea4b378ef7c5a8f680671031c9bb6449136da61e683c3f910a241402a4302628b47b91b3e348
-
Filesize
254KB
MD5ccdffd31fa73286c21a7bef5fd899f15
SHA10a1df0830c295ae914fb2094f5eb9a5e8d6746cf
SHA256d70c4f4812884762d0c17060985d38bc24b2a777b7f3148d1bbabdacf4cb4c58
SHA512a865a1eab6b9a7ad8fd2860843536276548cdad3834918772ab5ea4b378ef7c5a8f680671031c9bb6449136da61e683c3f910a241402a4302628b47b91b3e348
-
Filesize
572KB
MD5f2ae502d448cfb81a5f40a9368d99b1a
SHA1f849be86e9e7ced0acd51a68f92992b8090d08a5
SHA25607ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56
SHA5129f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be
-
Filesize
329KB
MD5979823a05959fb29275d8f2537886924
SHA136d58a7ca54ec317879cd2df0a1e6a640c987cc9
SHA256bc7efcee6c968970fc88d1fecfd855c7a70f29144024004099111ed1de7c7282
SHA512c2a54714d861283eda9693f8ca92f36cf6dd216168fdcf724771060337d807eff5383ac5f655ba65a03922ef929c6b0866a514e5228198e2fc5e7f47bac683b0
-
Filesize
329KB
MD5979823a05959fb29275d8f2537886924
SHA136d58a7ca54ec317879cd2df0a1e6a640c987cc9
SHA256bc7efcee6c968970fc88d1fecfd855c7a70f29144024004099111ed1de7c7282
SHA512c2a54714d861283eda9693f8ca92f36cf6dd216168fdcf724771060337d807eff5383ac5f655ba65a03922ef929c6b0866a514e5228198e2fc5e7f47bac683b0
-
Filesize
45KB
MD5c36bb659f08f046b139c8d1b980bf1ac
SHA1dd3247b225a8da3161f76055f31cbc5f64a66086
SHA256405f03534be8b45185695f68deb47d4daf04dcd6df9d351ca6831d3721b1efc4
SHA5123eeae6a3b424fa1709b4443f625ee99fa2d2861661214b868d36bf5a63c0aaac61ad3bdd9c4b18cb9d820ef89653787df812289d31d65415c4dd08fd45d0c73f
-
Filesize
8.5MB
MD55ecefaea48c5a8498b036acd8ce411a5
SHA1501b3ed0fb6c33f6a122d603292d7fe04e8ce04f
SHA25688dd42dedc77e8ad117cc54d7b37083bbacaa6ecb84553bda31905b0a29e0e4d
SHA512e41a6bb1c734330dac37b9e7552053efdb46d15bf60601613baf8b5ab4be352c4d2f2d1c4e8bc4fe1616b98adfcf7b26336300b3bb724a9016e04d5820b2dd00