Overview

overview

10

Static

static

e977ecbe53...9a.exe

windows7_x64

10

e977ecbe53...9a.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-10-2021 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe

  • Size

    8.3MB

  • MD5

    ccd06635e00d0387499240fba7bc3559

  • SHA1

    37c6ecc5808fa6b73fe8855b0c28cabbe7a69956

  • SHA256

    e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a

  • SHA512

    dc371226c37b324168652c166b9d532104875b10dc05a7eda522e43a8921a952d4877722268bf4dfe5016d2be88e88c6d8e4f65d8c5c50f708b86b487c94f17d

Score
10/10
parallaxevasionransomwareratspywarestealersuricata

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • suricata: ET MALWARE Parallax CnC Response Activity M14

    suricata: ET MALWARE Parallax CnC Response Activity M14

    suricata
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe
    "C:\Users\Admin\AppData\Local\Temp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\is-LOJQ6.tmp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LOJQ6.tmp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.tmp" /SL5="$30116,7418312,831488,C:\Users\Admin\AppData\Local\Temp\e977ecbe535a71569be5143bb4f1a2868e45e5251903fb2640c1a48dcd18cc9a.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\system32\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:1604
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3020
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Windows\system32\setx.exe
          setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp"
          4⤵
            PID:3420
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp\devcon.exe" remove "ROOT\bareflank""
          3⤵
            PID:364
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp\bareflank.inf" "ROOT\bareflank""
            3⤵
              PID:3732
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp\devcon.exe" remove "ROOT\bfbuilder""
              3⤵
                PID:4016
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-II8IO.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                3⤵
                  PID:360
                • C:\Users\Admin\AppData\Roaming\syskey.exe
                  "C:\Users\Admin\AppData\Roaming\syskey.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1684
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe"
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:2280
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      5⤵
                        PID:1568
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe"
                        5⤵
                          PID:3720
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe"
                          5⤵
                            PID:3560
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe"
                            5⤵
                              PID:3036
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe"
                              5⤵
                                PID:3160
                              • C:\Windows\SysWOW64\notepad.exe
                                "C:\Windows\system32\notepad.exe"
                                5⤵
                                • Drops file in Windows directory
                                PID:2220

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1684-137-0x0000000000DB0000-0x0000000000E7A000-memory.dmp

                        Filesize

                        808KB

                        Download

                      • memory/1684-161-0x0000000000DB0000-0x0000000000E7A000-memory.dmp

                        Filesize

                        808KB

                        Download

                      • memory/1752-119-0x0000000000400000-0x00000000004D8000-memory.dmp

                        Filesize

                        864KB

                        Download

                      • memory/2220-222-0x00007FFD607B0000-0x00007FFD6098B000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2220-218-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2220-217-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2220-227-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2220-248-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/2280-171-0x0000000003350000-0x0000000003352000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/2280-163-0x0000000077F19000-0x0000000077F1A000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2280-184-0x00000000053A0000-0x00000000053A8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2280-185-0x00007FFD607B0000-0x00007FFD6098B000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/3424-120-0x00000000009D0000-0x00000000009D1000-memory.dmp

                        Filesize

                        4KB

                        Download