Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-04-2021 06:48
Static task
static1
Behavioral task
behavioral1
Sample
27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe
-
Size
26.4MB
-
MD5
e59dc7d6a3529d9f0a380189343dee4c
-
SHA1
205d1c4cc30bfbc37de4d168e3bc1b489ca87629
-
SHA256
27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218
-
SHA512
46624f9fbc2ade07b0ce1b2ec6f5085e5e945d3240745d37b69e8461ed19da85f7efa6ac63aec3f42bc4e1f9a8474b7765fa7a1447a7da0ff71aa299741b2bb3
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/1264-7-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Blocklisted process makes network request 7 IoCs
flow pid Process 5 1264 rundll32.exe 5 1264 rundll32.exe 5 1264 rundll32.exe 5 1264 rundll32.exe 5 1264 rundll32.exe 5 1264 rundll32.exe 5 1264 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29 PID 776 wrote to memory of 1264 776 27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe"C:\Users\Admin\AppData\Local\Temp\27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\27fa5f7ee78f7288fa292412f77940a2a2baac93caad5214099f52bc6bcb3218.exe"2⤵
- Blocklisted process makes network request
PID:1264
-