Analysis
-
max time kernel
21s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-11-2020 11:07
Static task
static1
Behavioral task
behavioral1
Sample
75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe
-
Size
1016KB
-
MD5
083591e8b186ebb55fe0f0cf222bdcdd
-
SHA1
084375103de81a9fce81f3699f4e212f94c34bc1
-
SHA256
75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b
-
SHA512
baf93a304667493582b7a45c212638a3b50f74dcba80cfabe46b5a7fb7dee7ac3cdc2ea7304e7f1c6933edfafeb89fb15d42f50764002183188f2828e802eb3d
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/1376-3-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Blacklisted process makes network request 1 IoCs
flow pid Process 15 1376 rundll32.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mcm.exe DllHost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mcm.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79 PID 648 wrote to memory of 1376 648 75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe"C:\Users\Admin\AppData\Local\Temp\75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\75d5fd644a3d73d854cb3da238dfc0f3675cdee19acafd73d773b72ad66c625b.exe"2⤵
- Blacklisted process makes network request
PID:1376
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:3824