Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 09:38
General
-
Target
c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
-
Size
19.5MB
-
MD5
6374c01ed81cea712fe61d0774521ac3
-
SHA1
6a2957d427b9ca85f58266564951e6e56da89566
-
SHA256
c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339
-
SHA512
4a85f10a54a8721d09e2ba9171882c53b83bdb9c87ad3ec84877f7a34d6007b6d12cfe0d9a8b48d41ac9054a3d78781a4fd299def96ff0927917b4d5c4bcab83
Malware Config
Signatures
-
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IJV5F.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp"C:\Users\Admin\AppData\Local\Temp\is-IJV5F.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp" /SL5="$3011A,19610817,831488,C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mountvol P: /D3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mountvol.exemountvol P: /D4⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\setx.exesetx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp"4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" remove "ROOT\bareflank""3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\bareflank.inf" "ROOT\bareflank""3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" remove "ROOT\bfbuilder""3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-AK0LN.tmp\bfbuilder.inf" "ROOT\bfbuilder""3⤵
-
C:\Users\Admin\AppData\Roaming\opera.exe"C:\Users\Admin\AppData\Roaming\opera.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-IJV5F.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmpMD5
266673b16ab08a498deb528139dc7213
SHA1f4f91f8056dbedc155b3965f19eeac7d185f1c9c
SHA256c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f
SHA512c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908
-
C:\Users\Admin\AppData\Roaming\DUI70.dllMD5
b28030547470704a3a16c5407bfb28bb
SHA10f5bff72f324bae9e693c06d00180e9da52e7689
SHA2560e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922
SHA512751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
8c545f6f1ba83c15b8b02ee4aa62ff11
SHA161bc86addcc641dc79cf84072fc04fa738d0596d
SHA2564ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad
SHA5126b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0
-
C:\Users\Admin\AppData\Roaming\opera.exeMD5
8c545f6f1ba83c15b8b02ee4aa62ff11
SHA161bc86addcc641dc79cf84072fc04fa738d0596d
SHA2564ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad
SHA5126b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0
-
C:\Users\Admin\AppData\Roaming\u.txtMD5
a357bfa782c0384a4f69fb0d329b364b
SHA1bbf5251b3bf1974c6850cb47fa6feb4c59e0141d
SHA2565686e45ed19be9357b84d53e4b129733efbfeeecf7306823a739127993cc487e
SHA5126a40384feafb7288667831c3a54fb7d04c9cf235fb087737d02eba712576d942bd7fbba07e819909e34d5359a6d8bc1f5824442483047ab5f3ef6ddb1b47b155
-
C:\Users\Admin\AppData\Roaming\user.binMD5
0cccbe67a89513ec9072ae43ccf0ca36
SHA1f32eba60b3f60388c38f819fd47a6b4327f98592
SHA2560160889c87cb5bef893a2d0fd1a1ae22ee09610cf05e1f488e9ed390660ec9d5
SHA5124f3cf7b5b5c87ad74db0381b9bc1a90d67235cf7d85ba82acc2d032ea5995351414c961268502a5518baf37e0ae2a14af4e5f2ef493caa8ef0a06e0811a7d62e
-
\Users\Admin\AppData\Roaming\dui70.dllMD5
b28030547470704a3a16c5407bfb28bb
SHA10f5bff72f324bae9e693c06d00180e9da52e7689
SHA2560e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922
SHA512751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064
-
memory/388-126-0x0000000000000000-mapping.dmp
-
memory/396-128-0x0000000000000000-mapping.dmp
-
memory/684-125-0x0000000000000000-mapping.dmp
-
memory/1056-129-0x0000000000000000-mapping.dmp
-
memory/1112-124-0x0000000000000000-mapping.dmp
-
memory/1128-130-0x0000000000000000-mapping.dmp
-
memory/1128-136-0x0000000000ADD000-0x0000000000AE8000-memory.dmpFilesize
44KB
-
memory/1352-117-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1528-121-0x0000000000000000-mapping.dmp
-
memory/1804-139-0x00000000772C9000-0x00000000772CA000-memory.dmpFilesize
4KB
-
memory/1804-138-0x0000000000000000-mapping.dmp
-
memory/1804-143-0x0000000000BC0000-0x0000000000BC2000-memory.dmpFilesize
8KB
-
memory/1804-160-0x0000000003380000-0x0000000003388000-memory.dmpFilesize
32KB
-
memory/1804-161-0x00007FFCE81C0000-0x00007FFCE839B000-memory.dmpFilesize
1.9MB
-
memory/1956-174-0x00007FFCE81C0000-0x00007FFCE839B000-memory.dmpFilesize
1.9MB
-
memory/1956-173-0x0000000003310000-0x0000000003319000-memory.dmpFilesize
36KB
-
memory/1956-199-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1956-166-0x0000000000000000-mapping.dmp
-
memory/1956-169-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/1956-168-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/2792-118-0x0000000000000000-mapping.dmp
-
memory/2792-120-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/3792-122-0x0000000000000000-mapping.dmp
-
memory/3932-123-0x0000000000000000-mapping.dmp
-
memory/3996-127-0x0000000000000000-mapping.dmp