Overview

overview

10

Static

static

e977ecbe53...9a.exe

windows7_x64

10

e977ecbe53...9a.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    21-10-2021 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe

  • Size

    8.3MB

  • MD5

    ccd06635e00d0387499240fba7bc3559

  • SHA1

    37c6ecc5808fa6b73fe8855b0c28cabbe7a69956

  • SHA256

    e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a

  • SHA512

    dc371226c37b324168652c166b9d532104875b10dc05a7eda522e43a8921a952d4877722268bf4dfe5016d2be88e88c6d8e4f65d8c5c50f708b86b487c94f17d

Score
10/10
parallaxevasionransomwareratspywarestealersuricata

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • suricata: ET MALWARE Parallax CnC Response Activity M14

    suricata: ET MALWARE Parallax CnC Response Activity M14

    suricata
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe
    "C:\Users\Admin\AppData\Local\Temp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\is-HA7A9.tmp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HA7A9.tmp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.tmp" /SL5="$F015A,7418312,831488,C:\Users\Admin\AppData\Local\Temp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Windows\system32\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:812
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:684
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Windows\system32\setx.exe
          setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp"
          4⤵
            PID:1932
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp\devcon.exe" remove "ROOT\bareflank""
          3⤵
            PID:1212
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp\bareflank.inf" "ROOT\bareflank""
            3⤵
              PID:1292
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp\devcon.exe" remove "ROOT\bfbuilder""
              3⤵
                PID:616
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-3A5DI.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                3⤵
                  PID:1280
                • C:\Users\Admin\AppData\Roaming\syskey.exe
                  "C:\Users\Admin\AppData\Roaming\syskey.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1452
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe"
                    4⤵
                    • Blocklisted process makes network request
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:1692
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      5⤵
                        PID:1920
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe"
                        5⤵
                          PID:268
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe"
                          5⤵
                            PID:1204
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe"
                            5⤵
                              PID:1728
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe"
                              5⤵
                                PID:1760
                              • C:\Windows\SysWOW64\notepad.exe
                                "C:\Windows\system32\notepad.exe"
                                5⤵
                                  PID:1724
                                • C:\Windows\SysWOW64\notepad.exe
                                  "C:\Windows\system32\notepad.exe"
                                  5⤵
                                    PID:588
                                  • C:\Windows\SysWOW64\notepad.exe
                                    "C:\Windows\system32\notepad.exe"
                                    5⤵
                                      PID:684
                                    • C:\Windows\SysWOW64\notepad.exe
                                      "C:\Windows\system32\notepad.exe"
                                      5⤵
                                        PID:1092
                                      • C:\Windows\SysWOW64\notepad.exe
                                        "C:\Windows\system32\notepad.exe"
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:1432

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/1116-62-0x0000000000240000-0x0000000000241000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1432-112-0x0000000000400000-0x0000000000424000-memory.dmp

                                Filesize

                                144KB

                                Download

                              • memory/1432-105-0x00000000000C0000-0x00000000000C9000-memory.dmp

                                Filesize

                                36KB

                                Download

                              • memory/1432-104-0x0000000077310000-0x00000000774B9000-memory.dmp

                                Filesize

                                1.7MB

                                Download

                              • memory/1452-88-0x0000000000400000-0x00000000004CA000-memory.dmp

                                Filesize

                                808KB

                                Download

                              • memory/1452-87-0x00000000000F0000-0x000000000014B000-memory.dmp

                                Filesize

                                364KB

                                Download

                              • memory/1692-91-0x0000000000090000-0x0000000000092000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/1692-92-0x00000000005D0000-0x00000000005D8000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/1692-93-0x0000000077310000-0x00000000774B9000-memory.dmp

                                Filesize

                                1.7MB

                                Download

                              • memory/1988-57-0x0000000000400000-0x00000000004D8000-memory.dmp

                                Filesize

                                864KB

                                Download

                              • memory/1988-54-0x0000000076231000-0x0000000076233000-memory.dmp

                                Filesize

                                8KB

                                Download