Analysis
-
max time kernel
123s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-02-2021 20:39
Static task
static1
Behavioral task
behavioral1
Sample
diagnostic.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
diagnostic.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
diagnostic.exe
-
Size
2.0MB
-
MD5
56116fa25cf66f595374b8ce3a1b4e2c
-
SHA1
c50b220f1193a75198f7dadaafa2d0f045f9449a
-
SHA256
3361515c7847b7f3aa44b45da30581ad9e5af35fdc2489ff95d312a3f4a5e4a7
-
SHA512
7e87dbc5d91ac0f23156269931fa0639a292a764c43e7379df0aeee9b43c0a96395b77f33f96fe5c1e6c6dfd6299fb7c6ab46416c0eb55655f704d5605a36568
Score
10/10
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/1580-10-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1580 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VidCoder.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe 1076 diagnostic.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30 PID 1076 wrote to memory of 1580 1076 diagnostic.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\diagnostic.exe"C:\Users\Admin\AppData\Local\Temp\diagnostic.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\cmd.exe"C:\Users\Admin\AppData\Local\Temp\diagnostic.exe"2⤵
- Blocklisted process makes network request
PID:1580
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:1520