Overview

overview

10

Static

static

FireFoxExtension.exe

windows7_x64

10

FireFoxExtension.exe

windows10_x64

10

Analysis

  • max time kernel
    84s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    28-09-2021 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FireFoxExtension.exe

  • Size

    19.5MB

  • MD5

    2e309f6569ad98bc9dda1178dbcf6296

  • SHA1

    4c07d69e84935842ac2ce9a8ded577f1fc17280c

  • SHA256

    bc2d39c8020a92de04d4a0749449595c2317d76dc607c56d2c26edf5fa3ef004

  • SHA512

    c87bd9836ad2ec45e4192af135d23a5352b3b9331f813902e2f3627a8c913a1afb9c9eb1cb2b8089f236ce971b457a15e15b2c0b41aa5a8aa7cb92d9099f1b81

Score
10/10
parallaxratspywarestealer

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FireFoxExtension.exe
    "C:\Users\Admin\AppData\Local\Temp\FireFoxExtension.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\is-J0ATN.tmp\FireFoxExtension.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-J0ATN.tmp\FireFoxExtension.tmp" /SL5="$40118,19610817,831488,C:\Users\Admin\AppData\Local\Temp\FireFoxExtension.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\SysWOW64\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:560
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
          PID:1828
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:316
          • C:\Windows\SysWOW64\setx.exe
            setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp"
            4⤵
              PID:524
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp\devcon.exe" remove "ROOT\bareflank""
            3⤵
              PID:472
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp\bareflank.inf" "ROOT\bareflank""
              3⤵
                PID:872
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp\devcon.exe" remove "ROOT\bfbuilder""
                3⤵
                  PID:1440
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-81PKC.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                  3⤵
                    PID:1480
                  • C:\Users\Admin\AppData\Roaming\opera.exe
                    "C:\Users\Admin\AppData\Roaming\opera.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1796
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      4⤵
                      • Blocklisted process makes network request
                      • Modifies system certificate store
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:536
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe"
                        5⤵
                        • Blocklisted process makes network request
                        • Drops file in Windows directory
                        PID:1612

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/536-82-0x0000000077190000-0x0000000077339000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/536-81-0x0000000001D80000-0x0000000001DB5000-memory.dmp

                Filesize

                212KB

                Download

              • memory/536-80-0x00000000000D0000-0x00000000000D2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1544-57-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/1544-53-0x00000000751D1000-0x00000000751D3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1612-84-0x0000000077190000-0x0000000077339000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1612-85-0x0000000000080000-0x0000000000089000-memory.dmp

                Filesize

                36KB

                Download

              • memory/1612-86-0x0000000077191000-0x000000007729127A-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1612-92-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/1716-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

                Download