Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-02-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe
Resource
win10v2004-en-20220113
General
-
Target
2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe
-
Size
131KB
-
MD5
1538a7e26ee76f01d4db6c37f66223a8
-
SHA1
4c547aa3f4e4008f9463957c846266a8f6645677
-
SHA256
2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233
-
SHA512
c93f9bb26532a35a1a5b4166218be1d28e1c4b10ddf15cb65108eb532c6d1817a2b0120bd9e5d5ab3464f8af7f146cf524bc36757665316dba2b469518a0c4ec
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/files/0x000400000001e7c9-130.dat parallax_rat -
Executes dropped EXE 1 IoCs
pid Process 1948 UPX_Compiler.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\UPX = "C:\\Users\\Admin\\AppData\\Roaming\\VBS-Crypter\\UPX_Compiler.exe" UPX_Compiler.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4388 2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe Token: SeShutdownPrivilege 1424 svchost.exe Token: SeCreatePagefilePrivilege 1424 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4388 wrote to memory of 1948 4388 2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe 82 PID 4388 wrote to memory of 1948 4388 2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe 82 PID 4388 wrote to memory of 1948 4388 2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe"C:\Users\Admin\AppData\Local\Temp\2793e5e5c6dabf88d5bebe53dd5a5bd8ecad007d290dd64901a6fc06cb439233.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Roaming\VBS-Crypter\UPX_Compiler.exe"C:\Users\Admin\AppData\Roaming\VBS-Crypter\UPX_Compiler.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1948
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1424