Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe
Resource
win10v2004-en-20220113
General
-
Target
4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe
-
Size
2.2MB
-
MD5
79d702974c9b1588b1ad025fafad4d0a
-
SHA1
88de570baf2c2a3fcb74c952669e9867706c343f
-
SHA256
4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159
-
SHA512
4970fe0e9849d0f0f7dd2201d20d1345deb53a686b18304c0e16af96b369964bb79e89b3bcd84c47eb30ad0a93777ad3d66842e77bcdb80b98df3cfaba0e0f12
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/1688-63-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28 PID 1436 wrote to memory of 1688 1436 4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe"C:\Users\Admin\AppData\Local\Temp\4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\calc.exe"C:\Users\Admin\AppData\Local\Temp\4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159.exe"2⤵PID:1688
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:1692