Overview

overview

10

Static

static

Flight Det...df.vbs

windows7_x64

10

Flight Det...df.vbs

windows10_x64

10

Analysis

  • max time kernel
    18s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    07-12-2020 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Flight Details.pdf.vbs

  • Size

    384KB

  • MD5

    d3315b0da7cd3e27ce7244317b98b76d

  • SHA1

    c9d7c99326c9a999c65595101525eeefb6f765df

  • SHA256

    efc19d1c7657d51ceacf7a531929fb128c19fc9d1e77dce596a19b37a18b1048

  • SHA512

    10b895d0d087558cdd33142d7ec21f35e2b21910b981f5ca5587d60c4f5881546a043e98435c1a5fa793b1c8dbe2a19651ab25b85ed79e7aafb947e28e597fbb

Score
10/10
parallaxrat

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Flight Details.pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" [System.Threading.Thread]::GetDomain().Load((ItemProperty HKCU:\/\/\/Software\/\/\/EOsGPFJ).xofORXWG);[PHoQo]::ngwnnupfOozH('C:\Users\Admin\AppData\Local\Temp\Flight Details.pdf.vbs', 'lMbPwuG', 'Flight Details.pdf.vbs')
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:1188

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/324-8-0x0000000004850000-0x0000000004851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-4-0x0000000073B20000-0x000000007420E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/324-5-0x0000000002290000-0x0000000002291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-6-0x00000000048E0000-0x00000000048E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-7-0x0000000002610000-0x0000000002611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-25-0x00000000065E0000-0x0000000006600000-memory.dmp

      Filesize

      128KB

      Download

    • memory/324-11-0x0000000005740000-0x0000000005741000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-24-0x00000000063C0000-0x00000000063C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-17-0x0000000006330000-0x0000000006331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-16-0x00000000061A0000-0x00000000061A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1188-26-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1668-3-0x00000000026B0000-0x00000000026B4000-memory.dmp

      Filesize

      16KB

      Download