Analysis
-
max time kernel
19s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-11-2020 11:07
Static task
static1
Behavioral task
behavioral1
Sample
83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe
-
Size
618KB
-
MD5
fd271d9e9226304745461177b444fdbc
-
SHA1
b86892f176e96f68346578cd48ba284881a76471
-
SHA256
83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce
-
SHA512
f8224d2b54daff4b93e91256430bfc3356c8e7a76c918a953f6332125d0c84d85612991110a067bd373f1856dc8e10a30ab0ff3283c59951ecf16e00ddd09895
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/2504-3-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Blacklisted process makes network request 1 IoCs
flow pid Process 15 2504 rundll32.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mcm.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mcm.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79 PID 1628 wrote to memory of 2504 1628 83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe"C:\Users\Admin\AppData\Local\Temp\83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\83ce49568eda2b4a7f66888463e3bbc0f6dcc1123718fb5f1a9be8e13a3c11ce.exe"2⤵
- Blacklisted process makes network request
PID:2504
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:2288