Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 15:58
Static task
static1
Behavioral task
behavioral1
Sample
505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe
Resource
win10v2004-en-20220113
General
-
Target
505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe
-
Size
2.7MB
-
MD5
5774817a431cf389bbbf1d9a2b48e9ad
-
SHA1
ef6e9aacde563df50771cf5037d6cd4bd1b7a470
-
SHA256
505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd
-
SHA512
bf6ec01eab4b04c9f3c43c4f4c9eb4885125b1e80d47452b46a54890da95bc146f33024f264cc9a84060310a311b0aa6b227dedbe145eaca97f40814dc0f9bee
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/1632-62-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28 PID 1332 wrote to memory of 1632 1332 505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe"C:\Users\Admin\AppData\Local\Temp\505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe"C:\Users\Admin\AppData\Local\Temp\505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd.exe"2⤵PID:1632
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:940