purplefox | 47d178214e35dc1d7dca9886abd3fc3e715a934c5e8540e9f0879d5d1c8addee

Resubmissions

28-01-2022 12:16

220128-pfymdsccbk 10

19-01-2022 09:07

220119-k3bzpagfak 10

Analysis

max time kernel
61s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-01-2022 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f373ebb32b2a836b78f932fd436ec49a.exe
Size

492KB
MD5

f373ebb32b2a836b78f932fd436ec49a
SHA1

fdf344a3d5684433e689b61de782d5bd29f185b9
SHA256

47d178214e35dc1d7dca9886abd3fc3e715a934c5e8540e9f0879d5d1c8addee
SHA512

b5fadc8d050d2bae9b1f657f33d8b23d6ac0eb39fb962a64059fe5e39c73a85e5f998a53622e06811616c55d037b115a853794841a2f16354b65af3ca1ffdb48

Score

10^/10

purplefox loader dropper rootkit suricata trojan

Malware Config

Signatures

Detect PurpleFox Dropper 2 IoCs

Detect PurpleFox Dropper.

dropper loader

Processes:

yara_rule
purplefox_dropper
C:\Users\Public\Videos\1642583230\svchost.txt	purplefox_dropper

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

yara_rule
purplefox_rootkit
purplefox_rootkit
C:\Users\Public\Videos\1642583230\svchost.txt	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
suricata
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
suricata
Executes dropped EXE 2 IoCs

Processes:

7zz.exeojbkcg.exe

pid process

2284 7zz.exe
2232 ojbkcg.exe

pid	process
2284	7zz.exe
2232	ojbkcg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f373ebb32b2a836b78f932fd436ec49a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	f373ebb32b2a836b78f932fd436ec49a.exe

Loads dropped DLL 1 IoCs

Processes:

ojbkcg.exe

pid process

2232 ojbkcg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f373ebb32b2a836b78f932fd436ec49a.exe

pid process

3196 f373ebb32b2a836b78f932fd436ec49a.exe
3196 f373ebb32b2a836b78f932fd436ec49a.exe

pid	process
2232	ojbkcg.exe

pid	process
3196	f373ebb32b2a836b78f932fd436ec49a.exe
3196	f373ebb32b2a836b78f932fd436ec49a.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f373ebb32b2a836b78f932fd436ec49a.exe

description	pid	process	target process
PID 3196 wrote to memory of 2284	3196	f373ebb32b2a836b78f932fd436ec49a.exe	7zz.exe
PID 3196 wrote to memory of 2284	3196	f373ebb32b2a836b78f932fd436ec49a.exe	7zz.exe
PID 3196 wrote to memory of 2284	3196	f373ebb32b2a836b78f932fd436ec49a.exe	7zz.exe
PID 3196 wrote to memory of 2232	3196	f373ebb32b2a836b78f932fd436ec49a.exe	ojbkcg.exe
PID 3196 wrote to memory of 2232	3196	f373ebb32b2a836b78f932fd436ec49a.exe	ojbkcg.exe

C:\Users\Admin\AppData\Local\Temp\f373ebb32b2a836b78f932fd436ec49a.exe
"C:\Users\Admin\AppData\Local\Temp\f373ebb32b2a836b78f932fd436ec49a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Public\Videos\1642583230\7zz.exe
  "C:\Users\Public\Videos\1642583230\7zz.exe" X -ep2 C:\Users\Public\Videos\1642583230\1.rar C:\Users\Public\Videos\1642583230
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Public\Videos\1642583230\ojbkcg.exe
  "C:\Users\Public\Videos\1642583230\ojbkcg.exe" -a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.txt

Filesize
136KB

MD5
6701deefc1c350b807e5f5626f6ec53b

SHA1
ff15407103d5d183b7871c2f9203fdfdeb0c0be0

SHA256
6dd51079baa905f98be351f2095685bd5776d13148d69e3fdd64062dcff16a89

SHA512
17caa602ede4057c02904ed2bee1c4bc3c0b41e833c861fbd732b80c0722074d088d08d7ffd56f545b54d994be349eaabee3abb23b7e9d127c1b5562db4a0b39

Download Submit
C:\Users\Public\Videos\1642583230\1.rar

Filesize
2.6MB

MD5
ba08eccd1f00c25dfd65f666896893b7

SHA1
e5ed83a57d12ba1e4df10483ce41f743807b2b22

SHA256
f5806b666f9b416c0f649a53748d79a4e392988c09410689e032eeff71973620

SHA512
0b295c2089b966f83cc2f51a599af692f74539f7a1e071113dfd13afd31f9bdd2bc8d2366cfc75c79cd90bc5067638ce48f8f1ff1e47eb6494c528bfef03ffb0

Download Submit
C:\Users\Public\Videos\1642583230\360.tct

Filesize
254KB

MD5
ccdffd31fa73286c21a7bef5fd899f15

SHA1
0a1df0830c295ae914fb2094f5eb9a5e8d6746cf

SHA256
d70c4f4812884762d0c17060985d38bc24b2a777b7f3148d1bbabdacf4cb4c58

SHA512
a865a1eab6b9a7ad8fd2860843536276548cdad3834918772ab5ea4b378ef7c5a8f680671031c9bb6449136da61e683c3f910a241402a4302628b47b91b3e348

Download Submit
C:\Users\Public\Videos\1642583230\360.tct

Filesize
254KB

MD5
ccdffd31fa73286c21a7bef5fd899f15

SHA1
0a1df0830c295ae914fb2094f5eb9a5e8d6746cf

SHA256
d70c4f4812884762d0c17060985d38bc24b2a777b7f3148d1bbabdacf4cb4c58

SHA512
a865a1eab6b9a7ad8fd2860843536276548cdad3834918772ab5ea4b378ef7c5a8f680671031c9bb6449136da61e683c3f910a241402a4302628b47b91b3e348

Download Submit
C:\Users\Public\Videos\1642583230\7zz.exe

Filesize
572KB

MD5
f2ae502d448cfb81a5f40a9368d99b1a

SHA1
f849be86e9e7ced0acd51a68f92992b8090d08a5

SHA256
07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

SHA512
9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

Download Submit
C:\Users\Public\Videos\1642583230\ojbkcg.exe

Filesize
329KB

MD5
979823a05959fb29275d8f2537886924

SHA1
36d58a7ca54ec317879cd2df0a1e6a640c987cc9

SHA256
bc7efcee6c968970fc88d1fecfd855c7a70f29144024004099111ed1de7c7282

SHA512
c2a54714d861283eda9693f8ca92f36cf6dd216168fdcf724771060337d807eff5383ac5f655ba65a03922ef929c6b0866a514e5228198e2fc5e7f47bac683b0

Download Submit
C:\Users\Public\Videos\1642583230\ojbkcg.exe

Filesize
329KB

MD5
979823a05959fb29275d8f2537886924

SHA1
36d58a7ca54ec317879cd2df0a1e6a640c987cc9

SHA256
bc7efcee6c968970fc88d1fecfd855c7a70f29144024004099111ed1de7c7282

SHA512
c2a54714d861283eda9693f8ca92f36cf6dd216168fdcf724771060337d807eff5383ac5f655ba65a03922ef929c6b0866a514e5228198e2fc5e7f47bac683b0

Download Submit
C:\Users\Public\Videos\1642583230\rundll3222.exe

Filesize
45KB

MD5
c36bb659f08f046b139c8d1b980bf1ac

SHA1
dd3247b225a8da3161f76055f31cbc5f64a66086

SHA256
405f03534be8b45185695f68deb47d4daf04dcd6df9d351ca6831d3721b1efc4

SHA512
3eeae6a3b424fa1709b4443f625ee99fa2d2861661214b868d36bf5a63c0aaac61ad3bdd9c4b18cb9d820ef89653787df812289d31d65415c4dd08fd45d0c73f

Download Submit
C:\Users\Public\Videos\1642583230\svchost.txt

Filesize
8.5MB

MD5
5ecefaea48c5a8498b036acd8ce411a5

SHA1
501b3ed0fb6c33f6a122d603292d7fe04e8ce04f

SHA256
88dd42dedc77e8ad117cc54d7b37083bbacaa6ecb84553bda31905b0a29e0e4d

SHA512
e41a6bb1c734330dac37b9e7552053efdb46d15bf60601613baf8b5ab4be352c4d2f2d1c4e8bc4fe1616b98adfcf7b26336300b3bb724a9016e04d5820b2dd00

Download Submit