Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-12-2020 03:31

General

  • Target

    sample.exe

  • Size

    1.2MB

  • MD5

    33002b60b9e6fd6307e2eeaf2bcf78b6

  • SHA1

    1e641d295cbe6c6d27f03eda190e1470a83e5d98

  • SHA256

    829fce14ac8b9ad293076c16a1750502c6b303123c9bd0fb17c1772330577d65

  • SHA512

    00090799c2317aec2f16553a49ca1dcc8add6bc550f0fc4a05826aa32366b845655ed9294cbbf3dd2b0e83c6fef9bcd25e90662de36e11218fb711fe9e203c80

Score
10/10

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Blocklisted process makes network request 70 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 88 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\system32\mstsc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        PID:1020
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    1⤵
      PID:1036
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer" /t REG_DWORD /d 0"
        2⤵
          PID:1648
          • C:\Windows\system32\reg.exe
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer" /t REG_DWORD /d 0
            3⤵
              PID:1784

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1524-4-0x000000000A240000-0x000000000A276000-memory.dmp

          Filesize

          216KB

        • memory/1524-5-0x000000000A610000-0x000000000A63B000-memory.dmp

          Filesize

          172KB

        • memory/1744-3-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

          Filesize

          2.5MB