Overview

overview

10

Static

static

452e41c2ea...in.exe

windows7_x64

10

452e41c2ea...in.exe

windows10_x64

4

Analysis

  • max time kernel
    117s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-12-2021 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6.bin.exe

  • Size

    3.3MB

  • MD5

    c46bfdcee95bb995c627283835c746e3

  • SHA1

    1d61f1843b9d0a2779c2d522fa6755b55627b4f1

  • SHA256

    452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6

  • SHA512

    844a0d01ef7a832f13e428df0a594ee61aaa9f1208edbdbcdb8aefbef4573104a776b3eb766a75680c78da829dda80d68a80a6426a01165869bb8b8e228105c2

Score
10/10
parallaxratupx

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c xcopy "C:\Users\Admin\AppData\Local\Temp\452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6.bin.exe" "%ProgramFiles%\Security\" /y /i /c /q
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy "C:\Users\Admin\AppData\Local\Temp\452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6.bin.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
        3⤵
        • Drops file in Program Files directory
        • Enumerates system info in registry
        PID:572
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6.bin.exe" /it /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\452e41c2ea90d817a0a293c1a1b5f79e8e8f52ac9c74bf9c6e34a896de1408b6.bin.exe" /it /f
        3⤵
        • Creates scheduled task(s)
        PID:872
    • C:\Windows\SysWOW64\xwizard.exe
      C:\Windows\System32\xwizard.exe
      2⤵
        PID:1564

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1564-80-0x0000000000418000-0x0000000000428000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1564-79-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1564-78-0x0000000000940000-0x0000000000AC0000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1564-77-0x0000000000080000-0x0000000000083000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1564-72-0x0000000000940000-0x0000000000AC0000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1564-68-0x0000000000080000-0x0000000000083000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1744-67-0x0000000015950000-0x000000001595C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1744-74-0x000000004A6B0000-0x000000004A6FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1744-62-0x0000000002330000-0x00000000024B0000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1744-59-0x0000000005220000-0x0000000005221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1744-71-0x000000004A6B0000-0x000000004A6FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1744-61-0x0000000002330000-0x00000000024B0000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1744-73-0x000000004A6B0000-0x000000004A6FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-76-0x000000004A6B0000-0x000000004A6FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1744-75-0x000000004A6B0000-0x000000004A6FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1744-60-0x0000000002330000-0x00000000024B0000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1744-58-0x00000000002E0000-0x00000000002E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1744-57-0x00000000002D0000-0x00000000002D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1744-56-0x0000000000080000-0x000000000008B000-memory.dmp

      Filesize

      44KB

      Download