Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://www21.zippys...

windows7-x64

10

https://www21.zippys...

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://www21.zippyshare.com/v/zbgp1EKn/file.html

  • Sample

    230222-1j3w3adf95

Score
10/10
metasploitpurplefoxbackdoordiscoveryevasionrootkittrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://k0kz.ru/i.php?i=1
exe.dropper

http://k0kz.ru/i.php?i=1

Extracted

Language
ps1
Source
URLs
exe.dropper

http://k0kz.ru/i.php?i=12

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      https://www21.zippyshare.com/v/zbgp1EKn/file.html

    Score
    10/10
    metasploitpurplefoxbackdoordiscoveryevasionrootkittrojan

    • Detect PurpleFox MSI

      Detect PurpleFox MSI.

      rootkit

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Blocklisted process makes network request

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks