parallax | b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26

Analysis

max time kernel
123s
max time network
145s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe
Size

19.5MB
MD5

2710feba607afde5c935bb5183333bbb
SHA1

c22be1aaeb64338a1ca5c26df721a57b2f5909df
SHA256

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26
SHA512

3f7bf63e50be3be96f5f658fc8132011700da1dde62c7a63281d44d94f24647eecb0c3da0e6694f2e3f9b42a233f01e67a9d5fe06350f0e27defd63179c24b2f

Score

10^/10

parallax rat spyware stealer suricata

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral1/memory/1632-96-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata
Blocklisted process makes network request 4 IoCs

Processes:

cmd.execmd.exe

flow pid process

9 1732 cmd.exe
11 1732 cmd.exe
13 1732 cmd.exe
15 1632 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmpopera.exe

pid process

1648 b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
1508 opera.exe

flow	pid	process
9	1732	cmd.exe
11	1732	cmd.exe
13	1732	cmd.exe
15	1632	cmd.exe

pid	process
1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
1508	opera.exe

Loads dropped DLL 3 IoCs

Processes:

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exeb182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmpopera.exe

pid	process
1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe
1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
1508	opera.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

mountvol.exe

description ioc process

File opened (read-only) \??\P: mountvol.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\opera.job cmd.exe

description	ioc	process
File opened (read-only)	\??\P:	mountvol.exe

description	ioc	process
File created	C:\Windows\Tasks\opera.job	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

opera.execmd.exe

pid process

1508 opera.exe
1732 cmd.exe
1732 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

cmd.exe

pid process

1732 cmd.exe
1732 cmd.exe

pid	process
1508	opera.exe
1732	cmd.exe
1732	cmd.exe

pid	process
1732	cmd.exe
1732	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exeb182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmpcmd.execmd.exeopera.exe

description	pid	process	target process
PID 1384 wrote to memory of 1648	1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1384 wrote to memory of 1648	1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1384 wrote to memory of 1648	1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1384 wrote to memory of 1648	1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1384 wrote to memory of 1648	1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1384 wrote to memory of 1648	1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1384 wrote to memory of 1648	1384	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1648 wrote to memory of 652	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 652	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 652	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 652	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1256	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1256	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1256	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1256	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 568	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 568	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 568	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 568	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 652 wrote to memory of 1808	652	cmd.exe	mountvol.exe
PID 652 wrote to memory of 1808	652	cmd.exe	mountvol.exe
PID 652 wrote to memory of 1808	652	cmd.exe	mountvol.exe
PID 652 wrote to memory of 1808	652	cmd.exe	mountvol.exe
PID 568 wrote to memory of 1192	568	cmd.exe	setx.exe
PID 568 wrote to memory of 1192	568	cmd.exe	setx.exe
PID 568 wrote to memory of 1192	568	cmd.exe	setx.exe
PID 568 wrote to memory of 1192	568	cmd.exe	setx.exe
PID 1648 wrote to memory of 1228	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1228	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1228	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1228	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 740	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 740	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 740	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 740	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 804	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 804	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 804	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 804	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1780	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1780	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1780	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1780	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1648 wrote to memory of 1508	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	opera.exe
PID 1648 wrote to memory of 1508	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	opera.exe
PID 1648 wrote to memory of 1508	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	opera.exe
PID 1648 wrote to memory of 1508	1648	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	opera.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe
PID 1508 wrote to memory of 1732	1508	opera.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe
"C:\Users\Admin\AppData\Local\Temp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\is-5K7VM.tmp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5K7VM.tmp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp" /SL5="$60152,19610817,831488,C:\Users\Admin\AppData\Local\Temp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mountvol P: /D
3⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\mountvol.exe
mountvol P: /D
4⤵
- Enumerates connected drives
PID:1808

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
3⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp"
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\setx.exe
setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp"
4⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp\devcon.exe" remove "ROOT\bareflank""
3⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp\bareflank.inf" "ROOT\bareflank""
3⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp\devcon.exe" remove "ROOT\bfbuilder""
3⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-E8P9Q.tmp\bfbuilder.inf" "ROOT\bfbuilder""
3⤵
PID:1780

C:\Users\Admin\AppData\Roaming\opera.exe
"C:\Users\Admin\AppData\Roaming\opera.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5K7VM.tmp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
C:\Users\Admin\AppData\Roaming\DUI70.dll
MD5
b28030547470704a3a16c5407bfb28bb

SHA1
0f5bff72f324bae9e693c06d00180e9da52e7689

SHA256
0e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922

SHA512
751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064

Download Submit
C:\Users\Admin\AppData\Roaming\opera.exe
MD5
8c545f6f1ba83c15b8b02ee4aa62ff11

SHA1
61bc86addcc641dc79cf84072fc04fa738d0596d

SHA256
4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad

SHA512
6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0

Download Submit
C:\Users\Admin\AppData\Roaming\opera.exe
MD5
8c545f6f1ba83c15b8b02ee4aa62ff11

SHA1
61bc86addcc641dc79cf84072fc04fa738d0596d

SHA256
4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad

SHA512
6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0

Download Submit
C:\Users\Admin\AppData\Roaming\u.txt
MD5
a357bfa782c0384a4f69fb0d329b364b

SHA1
bbf5251b3bf1974c6850cb47fa6feb4c59e0141d

SHA256
5686e45ed19be9357b84d53e4b129733efbfeeecf7306823a739127993cc487e

SHA512
6a40384feafb7288667831c3a54fb7d04c9cf235fb087737d02eba712576d942bd7fbba07e819909e34d5359a6d8bc1f5824442483047ab5f3ef6ddb1b47b155

Download Submit
C:\Users\Admin\AppData\Roaming\user.bin
MD5
0cccbe67a89513ec9072ae43ccf0ca36

SHA1
f32eba60b3f60388c38f819fd47a6b4327f98592

SHA256
0160889c87cb5bef893a2d0fd1a1ae22ee09610cf05e1f488e9ed390660ec9d5

SHA512
4f3cf7b5b5c87ad74db0381b9bc1a90d67235cf7d85ba82acc2d032ea5995351414c961268502a5518baf37e0ae2a14af4e5f2ef493caa8ef0a06e0811a7d62e

Download Submit
\Users\Admin\AppData\Local\Temp\is-5K7VM.tmp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
\Users\Admin\AppData\Roaming\dui70.dll
MD5
b28030547470704a3a16c5407bfb28bb

SHA1
0f5bff72f324bae9e693c06d00180e9da52e7689

SHA256
0e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922

SHA512
751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064

Download Submit
\Users\Admin\AppData\Roaming\opera.exe
MD5
8c545f6f1ba83c15b8b02ee4aa62ff11

SHA1
61bc86addcc641dc79cf84072fc04fa738d0596d

SHA256
4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad

SHA512
6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0

Download Submit
memory/568-65-0x0000000000000000-mapping.dmp

Download
memory/652-63-0x0000000000000000-mapping.dmp

Download
memory/740-69-0x0000000000000000-mapping.dmp

Download
memory/804-70-0x0000000000000000-mapping.dmp

Download
memory/1192-67-0x0000000000000000-mapping.dmp

Download
memory/1228-68-0x0000000000000000-mapping.dmp

Download
memory/1256-64-0x0000000000000000-mapping.dmp

Download
memory/1384-54-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1384-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1508-73-0x0000000000000000-mapping.dmp

Download
memory/1508-79-0x00000000003F1000-0x00000000003FB000-memory.dmp

Filesize
40KB

Download
memory/1632-87-0x0000000000000000-mapping.dmp

Download
memory/1632-96-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-89-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1632-88-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/1648-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1648-58-0x0000000000000000-mapping.dmp

Download
memory/1732-84-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/1732-85-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/1732-83-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1732-81-0x0000000000000000-mapping.dmp

Download
memory/1780-71-0x0000000000000000-mapping.dmp

Download
memory/1808-66-0x0000000000000000-mapping.dmp

Download