Overview

overview

10

Static

static

Flight Det...df.vbs

windows7_x64

10

Flight Det...df.vbs

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    105s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-12-2020 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Flight Details.pdf.vbs

  • Size

    384KB

  • MD5

    d3315b0da7cd3e27ce7244317b98b76d

  • SHA1

    c9d7c99326c9a999c65595101525eeefb6f765df

  • SHA256

    efc19d1c7657d51ceacf7a531929fb128c19fc9d1e77dce596a19b37a18b1048

  • SHA512

    10b895d0d087558cdd33142d7ec21f35e2b21910b981f5ca5587d60c4f5881546a043e98435c1a5fa793b1c8dbe2a19651ab25b85ed79e7aafb947e28e597fbb

Score
10/10
parallaxrat

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Flight Details.pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" [System.Threading.Thread]::GetDomain().Load((ItemProperty HKCU:\/\/\/Software\/\/\/EOsGPFJ).xofORXWG);[PHoQo]::ngwnnupfOozH('C:\Users\Admin\AppData\Local\Temp\Flight Details.pdf.vbs', 'lMbPwuG', 'Flight Details.pdf.vbs')
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:3856

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1000-3-0x0000000073B10000-0x00000000741FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1000-4-0x0000000004750000-0x0000000004751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-5-0x0000000007160000-0x0000000007161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-6-0x00000000070A0000-0x00000000070A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-7-0x0000000007840000-0x0000000007841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-8-0x0000000007920000-0x0000000007921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-9-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-10-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-11-0x00000000082B0000-0x00000000082B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-12-0x0000000008210000-0x0000000008211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-13-0x0000000009000000-0x0000000009001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-14-0x0000000008F30000-0x0000000008F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-15-0x0000000008F90000-0x0000000008F91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-16-0x0000000009840000-0x0000000009841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1000-17-0x00000000090C0000-0x00000000090E0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3856-18-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download