Overview

overview

10

Static

static

1

11468a727b...JC.lnk

windows7-x64

10

11468a727b...JC.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03_JC.lnk

  • Size

    1KB

  • Sample

    231003-q93zmsbb91

  • MD5

    1370c8b810befea6651d6e60dee0b591

  • SHA1

    7bbd08152f5eb10c199904e646ddd672e138e456

  • SHA256

    11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03

  • SHA512

    d6316cfb95c1205982ac4b0c20986a207132a89f4ab5bfd8eb20ba1e2b8eaf57e45d63dbb3d97100b390786fc911aa197ad9f7fb2f9eef779eb5e62297be606b

Score
10/10
purplefoxdiscoveryevasionrootkittrojan

Malware Config

Targets

    • Target

      11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03_JC.lnk

    • Size

      1KB

    • MD5

      1370c8b810befea6651d6e60dee0b591

    • SHA1

      7bbd08152f5eb10c199904e646ddd672e138e456

    • SHA256

      11468a727bd8298fc93e1651400e437def16158c93e0c6cdc239df72fc16df03

    • SHA512

      d6316cfb95c1205982ac4b0c20986a207132a89f4ab5bfd8eb20ba1e2b8eaf57e45d63dbb3d97100b390786fc911aa197ad9f7fb2f9eef779eb5e62297be606b

    Score
    10/10
    purplefoxdiscoveryevasionrootkittrojan

    • Detect PurpleFox MSI

      Detect PurpleFox MSI.

      rootkit

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Blocklisted process makes network request

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Use of msiexec (install) with remote resource

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks