purplefox | 38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2 | Triage

Resubmissions

21/09/2023, 07:25

230921-h86p5sgc32 10

20/09/2023, 23:55

230920-3yrhpabc6y 10

Sharing

General

Target

ID-191304203986.docm
Size

44KB
Sample

230920-3yrhpabc6y
MD5

8c498f9e6dd65c5a9704208922224661
SHA1

1dc2f872c2e23e1eb0c6090909c5807553ad1e75
SHA256

38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
SHA512

b6a5eceef6739421ed2f0f6a479df496ecb1894b7694651b24a50689d663b1d7f1b1bf58c2edacf6a2fa59908a58f25cd00e389765871cb1856acb3431bcca50
SSDEEP

768:T6D/hwDg0kIo+rQGtBMIYta9l87miNPZjinjUeipoRkqk:T6D/u801rQIBMNg86AB+njUpoqqk

Score

10^/10

purplefox discovery evasion rootkit trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all.png

Extracted

Language

ps1

Source

URLs

exe.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg

Targets

- Target
  
  ID-191304203986.docm
- Size
  
  44KB
- MD5
  
  8c498f9e6dd65c5a9704208922224661
- SHA1
  
  1dc2f872c2e23e1eb0c6090909c5807553ad1e75
- SHA256
  
  38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
- SHA512
  
  b6a5eceef6739421ed2f0f6a479df496ecb1894b7694651b24a50689d663b1d7f1b1bf58c2edacf6a2fa59908a58f25cd00e389765871cb1856acb3431bcca50
- SSDEEP
  
  768:T6D/hwDg0kIo+rQGtBMIYta9l87miNPZjinjUeipoRkqk:T6D/u801rQIBMNg86AB+njUpoqqk
Score

10^/10

purplefox discovery evasion rootkit trojan
- Detect PurpleFox MSI
  Detect PurpleFox MSI.
  rootkit
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Blocklisted process makes network request
- Stops running service(s)
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

purplefoxdiscoveryevasionrootkittrojan

behavioral2

purplefoxdiscoveryevasionrootkittrojan