Overview

overview

10

Static

static

8c92dfd98d...in.exe

windows7_x64

8

8c92dfd98d...in.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    02-11-2021 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe

  • Size

    6.0MB

  • MD5

    36439a5f029df1777b51a34bd454b9d2

  • SHA1

    66ab3a5c3f35fad196b07bc91930bcc171b0132f

  • SHA256

    8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008

  • SHA512

    e412f202184412e39e8fed102b042c68e7b65eeb6545096481db3e62e5dfdf641031736f616e1cf7e61e59705473af37a1e7c0c13762cbdc5a6aa5acaace8da9

Score
10/10
parallaxratspywarestealer

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Users\Admin\AppData\Local\Temp\is-1M8UI.tmp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1M8UI.tmp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.tmp" /SL5="$601DE,5451459,831488,C:\Users\Admin\AppData\Local\Temp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\Windows\SysWOW64\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:68
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
          PID:644
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Windows\SysWOW64\setx.exe
            setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp"
            4⤵
              PID:900
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp\devcon.exe" remove "ROOT\bareflank""
            3⤵
              PID:1200
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp\bareflank.inf" "ROOT\bareflank""
              3⤵
                PID:1512
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp\devcon.exe" remove "ROOT\bfbuilder""
                3⤵
                  PID:3284
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-15F9U.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                  3⤵
                    PID:3540
                  • C:\Users\Admin\AppData\Roaming\wsqmcons.exe
                    "C:\Users\Admin\AppData\Roaming\wsqmcons.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:64
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:604
                      • C:\Windows\SysWOW64\rundll32.exe
                        "C:\Windows\system32\rundll32.exe"
                        5⤵
                        • Blocklisted process makes network request
                        • Drops file in Windows directory
                        PID:3120

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/604-161-0x00007FFFA1F70000-0x00007FFFA214B000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/604-139-0x00000000771C9000-0x00000000771CA000-memory.dmp

                Filesize

                4KB

                Download

              • memory/604-160-0x0000000003160000-0x0000000003168000-memory.dmp

                Filesize

                32KB

                Download

              • memory/604-147-0x0000000000B70000-0x0000000000B72000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3120-173-0x0000000003190000-0x0000000003199000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3120-199-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/3120-168-0x0000000000D50000-0x0000000000D51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3120-169-0x0000000000D50000-0x0000000000D51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3120-174-0x00007FFFA1F70000-0x00007FFFA214B000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/3680-120-0x0000000000770000-0x0000000000771000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3804-117-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download