Overview

overview

10

Static

static

3800cfc177...in.exe

windows7_x64

10

3800cfc177...in.exe

windows10_x64

10

Resubmissions

08-11-2021 13:19

211108-qkhmeacba6 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    08-11-2021 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3800cfc1779229230276e658dc437da44c074712247a23ef3a0543daf86505dc.bin.exe

  • Size

    3.3MB

  • MD5

    281277343c24ce9611314044e5df610c

  • SHA1

    d531e047d55bc162b3e338aed504c9eff77fde80

  • SHA256

    3800cfc1779229230276e658dc437da44c074712247a23ef3a0543daf86505dc

  • SHA512

    a7e4823e343c7a2f68a67be920edc6209ca441d9ece19339049faf44173d7c252b2928d599b12a8b6d6246149e40910c3f9e6bf045a5b7e4971c705885dc6de9

Score
10/10
parallaxratspywarestealer

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3800cfc1779229230276e658dc437da44c074712247a23ef3a0543daf86505dc.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\3800cfc1779229230276e658dc437da44c074712247a23ef3a0543daf86505dc.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\is-O9RHR.tmp\3800cfc1779229230276e658dc437da44c074712247a23ef3a0543daf86505dc.bin.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-O9RHR.tmp\3800cfc1779229230276e658dc437da44c074712247a23ef3a0543daf86505dc.bin.tmp" /SL5="$40156,2608321,831488,C:\Users\Admin\AppData\Local\Temp\3800cfc1779229230276e658dc437da44c074712247a23ef3a0543daf86505dc.bin.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Windows\SysWOW64\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
          PID:1452
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\SysWOW64\setx.exe
            setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp"
            4⤵
              PID:964
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp\devcon.exe" remove "ROOT\bareflank""
            3⤵
              PID:680
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp\bareflank.inf" "ROOT\bareflank""
              3⤵
                PID:1840
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp\devcon.exe" remove "ROOT\bfbuilder""
                3⤵
                  PID:836
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-MHOKM.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                  3⤵
                    PID:2044
                  • C:\Users\Admin\AppData\Roaming\wsqmcons.exe
                    "C:\Users\Admin\AppData\Roaming\wsqmcons.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1852
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      4⤵
                      • Blocklisted process makes network request
                      • Modifies system certificate store
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:1080
                      • C:\Windows\SysWOW64\nslookup.exe
                        "C:\Windows\system32\nslookup.exe"
                        5⤵
                        • Drops file in Windows directory
                        PID:1744

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1080-85-0x0000000001D70000-0x0000000001D78000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1080-84-0x0000000000090000-0x0000000000092000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1080-86-0x0000000077120000-0x00000000772C9000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1224-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1224-58-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/1304-63-0x0000000000240000-0x0000000000241000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1744-96-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1744-88-0x0000000077120000-0x00000000772C9000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1744-89-0x0000000000220000-0x0000000000229000-memory.dmp

                Filesize

                36KB

                Download

              • memory/1852-80-0x0000000000740000-0x000000000074A000-memory.dmp

                Filesize

                40KB

                Download