Analysis

  • max time kernel
    188s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-02-2022 18:02

General

  • Target

    c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe

  • Size

    2.3MB

  • MD5

    adcd1e7797068098efc7b13cdad89450

  • SHA1

    4f5cc3b2bbc0e2d3da8a8a09572708566620f6e2

  • SHA256

    c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736

  • SHA512

    304e003325285c2c710a273e52046d0d9bc9ddbaa46c08a02d18cdb3337fff397714afcd570fe25ff972405825519de62f2fc6367966d9f4443784d0dcaac4db

Score
10/10

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Drops startup file 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe
    "C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe"
      2⤵
        PID:3604
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe"
        2⤵
          PID:3436
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
        1⤵
        • Drops startup file
        PID:4744
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3416

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3220-131-0x0000000077D62000-0x0000000077D63000-memory.dmp

        Filesize

        4KB

      • memory/3220-130-0x0000000000B60000-0x0000000000BDB000-memory.dmp

        Filesize

        492KB

      • memory/3220-132-0x0000000000D90000-0x0000000000F33000-memory.dmp

        Filesize

        1.6MB

      • memory/3436-134-0x0000000001150000-0x0000000001151000-memory.dmp

        Filesize

        4KB

      • memory/3436-133-0x0000000077D62000-0x0000000077D63000-memory.dmp

        Filesize

        4KB

      • memory/3436-135-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/4616-136-0x000001F337160000-0x000001F337170000-memory.dmp

        Filesize

        64KB

      • memory/4616-137-0x000001F337720000-0x000001F337730000-memory.dmp

        Filesize

        64KB

      • memory/4616-138-0x000001F339D90000-0x000001F339D94000-memory.dmp

        Filesize

        16KB