Resubmissions

28-01-2022 12:16

220128-pfymdsccbk 10

19-01-2022 09:07

220119-k3bzpagfak 10

Analysis

  • max time kernel
    61s
  • max time network
    88s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-01-2022 09:07

General

  • Target

    f373ebb32b2a836b78f932fd436ec49a.exe

  • Size

    492KB

  • MD5

    f373ebb32b2a836b78f932fd436ec49a

  • SHA1

    fdf344a3d5684433e689b61de782d5bd29f185b9

  • SHA256

    47d178214e35dc1d7dca9886abd3fc3e715a934c5e8540e9f0879d5d1c8addee

  • SHA512

    b5fadc8d050d2bae9b1f657f33d8b23d6ac0eb39fb962a64059fe5e39c73a85e5f998a53622e06811616c55d037b115a853794841a2f16354b65af3ca1ffdb48

Malware Config

Signatures

  • Detect PurpleFox Dropper 2 IoCs

    Detect PurpleFox Dropper.

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

  • suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

  • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

    suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

  • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

    suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f373ebb32b2a836b78f932fd436ec49a.exe
    "C:\Users\Admin\AppData\Local\Temp\f373ebb32b2a836b78f932fd436ec49a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Public\Videos\1642583230\7zz.exe
      "C:\Users\Public\Videos\1642583230\7zz.exe" X -ep2 C:\Users\Public\Videos\1642583230\1.rar C:\Users\Public\Videos\1642583230
      2⤵
      • Executes dropped EXE
      PID:2284
    • C:\Users\Public\Videos\1642583230\ojbkcg.exe
      "C:\Users\Public\Videos\1642583230\ojbkcg.exe" -a
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\svchost.txt

    Filesize

    136KB

    MD5

    6701deefc1c350b807e5f5626f6ec53b

    SHA1

    ff15407103d5d183b7871c2f9203fdfdeb0c0be0

    SHA256

    6dd51079baa905f98be351f2095685bd5776d13148d69e3fdd64062dcff16a89

    SHA512

    17caa602ede4057c02904ed2bee1c4bc3c0b41e833c861fbd732b80c0722074d088d08d7ffd56f545b54d994be349eaabee3abb23b7e9d127c1b5562db4a0b39

  • C:\Users\Public\Videos\1642583230\1.rar

    Filesize

    2.6MB

    MD5

    ba08eccd1f00c25dfd65f666896893b7

    SHA1

    e5ed83a57d12ba1e4df10483ce41f743807b2b22

    SHA256

    f5806b666f9b416c0f649a53748d79a4e392988c09410689e032eeff71973620

    SHA512

    0b295c2089b966f83cc2f51a599af692f74539f7a1e071113dfd13afd31f9bdd2bc8d2366cfc75c79cd90bc5067638ce48f8f1ff1e47eb6494c528bfef03ffb0

  • C:\Users\Public\Videos\1642583230\360.tct

    Filesize

    254KB

    MD5

    ccdffd31fa73286c21a7bef5fd899f15

    SHA1

    0a1df0830c295ae914fb2094f5eb9a5e8d6746cf

    SHA256

    d70c4f4812884762d0c17060985d38bc24b2a777b7f3148d1bbabdacf4cb4c58

    SHA512

    a865a1eab6b9a7ad8fd2860843536276548cdad3834918772ab5ea4b378ef7c5a8f680671031c9bb6449136da61e683c3f910a241402a4302628b47b91b3e348

  • C:\Users\Public\Videos\1642583230\360.tct

    Filesize

    254KB

    MD5

    ccdffd31fa73286c21a7bef5fd899f15

    SHA1

    0a1df0830c295ae914fb2094f5eb9a5e8d6746cf

    SHA256

    d70c4f4812884762d0c17060985d38bc24b2a777b7f3148d1bbabdacf4cb4c58

    SHA512

    a865a1eab6b9a7ad8fd2860843536276548cdad3834918772ab5ea4b378ef7c5a8f680671031c9bb6449136da61e683c3f910a241402a4302628b47b91b3e348

  • C:\Users\Public\Videos\1642583230\7zz.exe

    Filesize

    572KB

    MD5

    f2ae502d448cfb81a5f40a9368d99b1a

    SHA1

    f849be86e9e7ced0acd51a68f92992b8090d08a5

    SHA256

    07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

    SHA512

    9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

  • C:\Users\Public\Videos\1642583230\ojbkcg.exe

    Filesize

    329KB

    MD5

    979823a05959fb29275d8f2537886924

    SHA1

    36d58a7ca54ec317879cd2df0a1e6a640c987cc9

    SHA256

    bc7efcee6c968970fc88d1fecfd855c7a70f29144024004099111ed1de7c7282

    SHA512

    c2a54714d861283eda9693f8ca92f36cf6dd216168fdcf724771060337d807eff5383ac5f655ba65a03922ef929c6b0866a514e5228198e2fc5e7f47bac683b0

  • C:\Users\Public\Videos\1642583230\ojbkcg.exe

    Filesize

    329KB

    MD5

    979823a05959fb29275d8f2537886924

    SHA1

    36d58a7ca54ec317879cd2df0a1e6a640c987cc9

    SHA256

    bc7efcee6c968970fc88d1fecfd855c7a70f29144024004099111ed1de7c7282

    SHA512

    c2a54714d861283eda9693f8ca92f36cf6dd216168fdcf724771060337d807eff5383ac5f655ba65a03922ef929c6b0866a514e5228198e2fc5e7f47bac683b0

  • C:\Users\Public\Videos\1642583230\rundll3222.exe

    Filesize

    45KB

    MD5

    c36bb659f08f046b139c8d1b980bf1ac

    SHA1

    dd3247b225a8da3161f76055f31cbc5f64a66086

    SHA256

    405f03534be8b45185695f68deb47d4daf04dcd6df9d351ca6831d3721b1efc4

    SHA512

    3eeae6a3b424fa1709b4443f625ee99fa2d2861661214b868d36bf5a63c0aaac61ad3bdd9c4b18cb9d820ef89653787df812289d31d65415c4dd08fd45d0c73f

  • C:\Users\Public\Videos\1642583230\svchost.txt

    Filesize

    8.5MB

    MD5

    5ecefaea48c5a8498b036acd8ce411a5

    SHA1

    501b3ed0fb6c33f6a122d603292d7fe04e8ce04f

    SHA256

    88dd42dedc77e8ad117cc54d7b37083bbacaa6ecb84553bda31905b0a29e0e4d

    SHA512

    e41a6bb1c734330dac37b9e7552053efdb46d15bf60601613baf8b5ab4be352c4d2f2d1c4e8bc4fe1616b98adfcf7b26336300b3bb724a9016e04d5820b2dd00