parasite | 64bfbbdf08aebb66f89866457a931b330968c126c87e8b02f1324392e65a4606

General

Target

bb940b97_extracted.exe
Size

2.0MB
MD5

aa42d84248af944b0947399f4d72267a
SHA1

08815276a5efc5c49746fd9a10e6ed32069958d5
SHA256

64bfbbdf08aebb66f89866457a931b330968c126c87e8b02f1324392e65a4606
SHA512

864c958a0d4277c208dddcee66dc19604480043b213b457042015185e523b0e3219ff022a7df8ad935a16f6557dcb9ad8554092273f382181a6bac59fc90f0c9

Score

10^/10

parasite discovery persistence spyware stealer vmprotect

Malware Config

Signatures

Parasite, Nexus
Parasite (or Nexus) is an infostealer written in C++.
stealer parasite
Executes dropped EXE 2 IoCs

Processes:

file0.exeCompPkgSup.exe

pid process

3612 file0.exe
3464 CompPkgSup.exe

pid	process
3612	file0.exe
3464	CompPkgSup.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\file0.exe	vmprotect
C:\Users\Admin\Documents\file0.exe	vmprotect
C:\ProgramData\ComponentUpdater\CompPkgSup.exe	vmprotect
C:\ProgramData\ComponentUpdater\CompPkgSup.exe	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\PackagesSupport = "C:\\ProgramData\\ComponentUpdater\\CompPkgSup.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb940b97_extracted.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bb940b97_extracted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bb940b97_extracted.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2272 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3212 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3744 reg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3212 taskkill.exe

pid	process
2272	schtasks.exe

pid	process
3212	taskkill.exe

pid	process
3744	reg.exe

description	pid	process
Token: SeDebugPrivilege	3212	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

bb940b97_extracted.exefile0.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 880 wrote to memory of 3612	880	bb940b97_extracted.exe	file0.exe
PID 880 wrote to memory of 3612	880	bb940b97_extracted.exe	file0.exe
PID 880 wrote to memory of 3612	880	bb940b97_extracted.exe	file0.exe
PID 3612 wrote to memory of 3520	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 3520	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 3520	3612	file0.exe	cmd.exe
PID 3520 wrote to memory of 3212	3520	cmd.exe	taskkill.exe
PID 3520 wrote to memory of 3212	3520	cmd.exe	taskkill.exe
PID 3520 wrote to memory of 3212	3520	cmd.exe	taskkill.exe
PID 3612 wrote to memory of 744	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 744	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 744	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 3332	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 3332	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 3332	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 2272	3612	file0.exe	schtasks.exe
PID 3612 wrote to memory of 2272	3612	file0.exe	schtasks.exe
PID 3612 wrote to memory of 2272	3612	file0.exe	schtasks.exe
PID 3332 wrote to memory of 2292	3332	cmd.exe	attrib.exe
PID 3332 wrote to memory of 2292	3332	cmd.exe	attrib.exe
PID 3332 wrote to memory of 2292	3332	cmd.exe	attrib.exe
PID 744 wrote to memory of 640	744	cmd.exe	attrib.exe
PID 744 wrote to memory of 640	744	cmd.exe	attrib.exe
PID 744 wrote to memory of 640	744	cmd.exe	attrib.exe
PID 3612 wrote to memory of 580	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 580	3612	file0.exe	cmd.exe
PID 3612 wrote to memory of 580	3612	file0.exe	cmd.exe
PID 580 wrote to memory of 3744	580	cmd.exe	reg.exe
PID 580 wrote to memory of 3744	580	cmd.exe	reg.exe
PID 580 wrote to memory of 3744	580	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2292 attrib.exe
640 attrib.exe

pid	process
2292	attrib.exe
640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bb940b97_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\bb940b97_extracted.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\Documents\file0.exe
  "C:\Users\Admin\Documents\file0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM CompPkgSup.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM CompPkgSup.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\ComponentUpdater
      4⤵
      Views/modifies file attributes
      PID:640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe
      4⤵
      Views/modifies file attributes
      PID:2292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "PackagesSupport" /tr "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3744

C:\ProgramData\ComponentUpdater\CompPkgSup.exe
C:\ProgramData\ComponentUpdater\CompPkgSup.exe
1⤵
- Executes dropped EXE
PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ComponentUpdater\CompPkgSup.exe

MD5
a792717dcc60ba433924dd418fa325cf

SHA1
52dc82d673745fe52be5643c1ed590bed31f5b05

SHA256
62dd4666b116f1b2e2e6caec45cd45d3cc32028064cf2f4695cf2c6a4b68a24e

SHA512
2e2617a91bb6abef336ed301f0fda27eb3e156162d2b07d210c79b82889a005a45ac76f96dc3aa36d82ea3bb66c08d06ba58e15ddea6f8ab59a6bc9cdbc301b3

Download Submit
C:\ProgramData\ComponentUpdater\CompPkgSup.exe

MD5
a792717dcc60ba433924dd418fa325cf

SHA1
52dc82d673745fe52be5643c1ed590bed31f5b05

SHA256
62dd4666b116f1b2e2e6caec45cd45d3cc32028064cf2f4695cf2c6a4b68a24e

SHA512
2e2617a91bb6abef336ed301f0fda27eb3e156162d2b07d210c79b82889a005a45ac76f96dc3aa36d82ea3bb66c08d06ba58e15ddea6f8ab59a6bc9cdbc301b3

Download Submit
C:\Users\Admin\Documents\file0.exe

MD5
a792717dcc60ba433924dd418fa325cf

SHA1
52dc82d673745fe52be5643c1ed590bed31f5b05

SHA256
62dd4666b116f1b2e2e6caec45cd45d3cc32028064cf2f4695cf2c6a4b68a24e

SHA512
2e2617a91bb6abef336ed301f0fda27eb3e156162d2b07d210c79b82889a005a45ac76f96dc3aa36d82ea3bb66c08d06ba58e15ddea6f8ab59a6bc9cdbc301b3

Download Submit
C:\Users\Admin\Documents\file0.exe

MD5
a792717dcc60ba433924dd418fa325cf

SHA1
52dc82d673745fe52be5643c1ed590bed31f5b05

SHA256
62dd4666b116f1b2e2e6caec45cd45d3cc32028064cf2f4695cf2c6a4b68a24e

SHA512
2e2617a91bb6abef336ed301f0fda27eb3e156162d2b07d210c79b82889a005a45ac76f96dc3aa36d82ea3bb66c08d06ba58e15ddea6f8ab59a6bc9cdbc301b3

Download Submit
memory/580-12-0x0000000000000000-mapping.dmp

Download
memory/640-11-0x0000000000000000-mapping.dmp

Download
memory/744-7-0x0000000000000000-mapping.dmp

Download
memory/2272-9-0x0000000000000000-mapping.dmp

Download
memory/2292-10-0x0000000000000000-mapping.dmp

Download
memory/3212-6-0x0000000000000000-mapping.dmp

Download
memory/3332-8-0x0000000000000000-mapping.dmp

Download
memory/3520-5-0x0000000000000000-mapping.dmp

Download
memory/3612-2-0x0000000000000000-mapping.dmp

Download
memory/3744-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads