Overview

overview

10

Static

static

c183d00cdf...39.exe

windows7_x64

8

c183d00cdf...39.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe

  • Size

    19.5MB

  • MD5

    6374c01ed81cea712fe61d0774521ac3

  • SHA1

    6a2957d427b9ca85f58266564951e6e56da89566

  • SHA256

    c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339

  • SHA512

    4a85f10a54a8721d09e2ba9171882c53b83bdb9c87ad3ec84877f7a34d6007b6d12cfe0d9a8b48d41ac9054a3d78781a4fd299def96ff0927917b4d5c4bcab83

Score
10/10
parallaxratspywarestealer

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
    "C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\is-IJV5F.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-IJV5F.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp" /SL5="$3011A,19610817,831488,C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:684
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
          PID:3792
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3932
          • C:\Windows\SysWOW64\setx.exe
            setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp"
            4⤵
              PID:1112
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" remove "ROOT\bareflank""
            3⤵
              PID:388
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\bareflank.inf" "ROOT\bareflank""
              3⤵
                PID:3996
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" remove "ROOT\bfbuilder""
                3⤵
                  PID:396
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                  3⤵
                    PID:1056
                  • C:\Users\Admin\AppData\Roaming\opera.exe
                    "C:\Users\Admin\AppData\Roaming\opera.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1128
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:1804
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe"
                        5⤵
                        • Blocklisted process makes network request
                        • Drops file in Windows directory
                        PID:1956

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1128-136-0x0000000000ADD000-0x0000000000AE8000-memory.dmp

                Filesize

                44KB

                Download

              • memory/1352-117-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/1804-139-0x00000000772C9000-0x00000000772CA000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1804-143-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1804-160-0x0000000003380000-0x0000000003388000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1804-161-0x00007FFCE81C0000-0x00007FFCE839B000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/1956-174-0x00007FFCE81C0000-0x00007FFCE839B000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/1956-173-0x0000000003310000-0x0000000003319000-memory.dmp

                Filesize

                36KB

                Download

              • memory/1956-199-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/1956-169-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1956-168-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2792-120-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                Filesize

                4KB

                Download