Overview

overview

10

Static

static

cb55e00c2f...e9.exe

windows7_x64

10

cb55e00c2f...e9.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    10-11-2021 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9.exe

  • Size

    2.2MB

  • MD5

    135abdbf6c27453815906380cb4b568a

  • SHA1

    a6b5fc116b667ca4c1c33f4a636d5d678c1fc270

  • SHA256

    cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9

  • SHA512

    b6136ab88abf64bcfed022d09e5b921db43e9c3337416c630e33c236a1db72a20720395b77cb20be5436969336f335b460e761c76b449bea15e1bfffcf5603ed

Score
10/10
parallaxratsuricataupx

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • suricata: ET MALWARE Parallax CnC Response Activity M14

    suricata: ET MALWARE Parallax CnC Response Activity M14

    suricata
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9.exe
    "C:\Users\Admin\AppData\Local\Temp\cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:724
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:1876

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/724-55-0x0000000074E51000-0x0000000074E53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/724-56-0x0000000000400000-0x0000000000630000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1876-57-0x0000000000080000-0x0000000000082000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1876-60-0x0000000000080000-0x0000000000082000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1876-61-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download