Overview

overview

10

Static

static

ab711cdbe0...in.exe

windows7_x64

10

ab711cdbe0...in.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    08-11-2021 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab711cdbe0142ca44fc643c6741f396e5d027458253a985a2eb8cd9258f94b59.bin.exe

  • Size

    3.3MB

  • MD5

    bf815840ff00a0c3ba04d47cc2d158ee

  • SHA1

    c4852fecddf4aa661b46d61866b2b1e8893b5048

  • SHA256

    ab711cdbe0142ca44fc643c6741f396e5d027458253a985a2eb8cd9258f94b59

  • SHA512

    c8d97bd92e7d873e45b4ea77032d7f6caebb644a361b2bfdc876b66f2925218082107143d0052b2259404fbfd884c3a8665a61f5640c7e6dd825899038281267

Score
10/10
parallaxratspywarestealer

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab711cdbe0142ca44fc643c6741f396e5d027458253a985a2eb8cd9258f94b59.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ab711cdbe0142ca44fc643c6741f396e5d027458253a985a2eb8cd9258f94b59.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\is-D90KN.tmp\ab711cdbe0142ca44fc643c6741f396e5d027458253a985a2eb8cd9258f94b59.bin.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-D90KN.tmp\ab711cdbe0142ca44fc643c6741f396e5d027458253a985a2eb8cd9258f94b59.bin.tmp" /SL5="$50118,2608320,831488,C:\Users\Admin\AppData\Local\Temp\ab711cdbe0142ca44fc643c6741f396e5d027458253a985a2eb8cd9258f94b59.bin.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\SysWOW64\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:1156
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
          PID:1432
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:876
          • C:\Windows\SysWOW64\setx.exe
            setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp"
            4⤵
              PID:436
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp\devcon.exe" remove "ROOT\bareflank""
            3⤵
              PID:1172
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp\bareflank.inf" "ROOT\bareflank""
              3⤵
                PID:1148
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp\devcon.exe" remove "ROOT\bfbuilder""
                3⤵
                  PID:1288
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-OU9T8.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                  3⤵
                    PID:1504
                  • C:\Users\Admin\AppData\Roaming\wsqmcons.exe
                    "C:\Users\Admin\AppData\Roaming\wsqmcons.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1764
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      4⤵
                      • Blocklisted process makes network request
                      • Modifies system certificate store
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:1708
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe"
                        5⤵
                        • Blocklisted process makes network request
                        • Drops file in Windows directory
                        PID:1316

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/796-63-0x0000000000240000-0x0000000000241000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1316-96-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/1316-89-0x00000000001C0000-0x00000000001C9000-memory.dmp

                Filesize

                36KB

                Download

              • memory/1316-88-0x0000000077560000-0x0000000077709000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1648-55-0x0000000075321000-0x0000000075323000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1648-62-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/1708-84-0x0000000000090000-0x0000000000092000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1708-85-0x0000000077560000-0x0000000077709000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1708-86-0x0000000000620000-0x0000000000655000-memory.dmp

                Filesize

                212KB

                Download

              • memory/1764-80-0x0000000000690000-0x000000000069A000-memory.dmp

                Filesize

                40KB

                Download