purplefox | 11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

11468a727b...JC.lnk

windows7-x64

11468a727b...JC.lnk

windows10-2004-x64

Sharing

General

Target

11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03_JC.lnk
Size

1KB
Sample

231003-q93zmsbb91
MD5

1370c8b810befea6651d6e60dee0b591
SHA1

7bbd08152f5eb10c199904e646ddd672e138e456
SHA256

11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03
SHA512

d6316cfb95c1205982ac4b0c20986a207132a89f4ab5bfd8eb20ba1e2b8eaf57e45d63dbb3d97100b390786fc911aa197ad9f7fb2f9eef779eb5e62297be606b

Score

10^/10

purplefox discovery evasion rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03_JC.lnk

Resource

win7-20230831-en

purplefox discovery evasion rootkit trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03_JC.lnk

Resource

win10v2004-20230915-en

purplefox discovery evasion rootkit trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03_JC.lnk
- Size
  
  1KB
- MD5
  
  1370c8b810befea6651d6e60dee0b591
- SHA1
  
  7bbd08152f5eb10c199904e646ddd672e138e456
- SHA256
  
  11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03
- SHA512
  
  d6316cfb95c1205982ac4b0c20986a207132a89f4ab5bfd8eb20ba1e2b8eaf57e45d63dbb3d97100b390786fc911aa197ad9f7fb2f9eef779eb5e62297be606b
Score

10^/10

purplefox discovery evasion rootkit trojan
- Detect PurpleFox MSI
  Detect PurpleFox MSI.
  rootkit
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Blocklisted process makes network request
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Use of msiexec (install) with remote resource
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

purplefoxdiscoveryevasionrootkittrojan

behavioral2

purplefoxdiscoveryevasionrootkittrojan

© 2018-2025

Terms | Privacy