Analysis
-
max time kernel
188s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe
-
Size
2.3MB
-
MD5
adcd1e7797068098efc7b13cdad89450
-
SHA1
4f5cc3b2bbc0e2d3da8a8a09572708566620f6e2
-
SHA256
c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736
-
SHA512
304e003325285c2c710a273e52046d0d9bc9ddbaa46c08a02d18cdb3337fff397714afcd570fe25ff972405825519de62f2fc6367966d9f4443784d0dcaac4db
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/3436-135-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpm.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpm.exe DllHost.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4616 svchost.exe Token: SeCreatePagefilePrivilege 4616 svchost.exe Token: SeShutdownPrivilege 4616 svchost.exe Token: SeCreatePagefilePrivilege 4616 svchost.exe Token: SeShutdownPrivilege 4616 svchost.exe Token: SeCreatePagefilePrivilege 4616 svchost.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe Token: SeRestorePrivilege 3416 TiWorker.exe Token: SeSecurityPrivilege 3416 TiWorker.exe Token: SeBackupPrivilege 3416 TiWorker.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3220 wrote to memory of 3604 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 88 PID 3220 wrote to memory of 3604 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 88 PID 3220 wrote to memory of 3604 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 88 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89 PID 3220 wrote to memory of 3436 3220 c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe"C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\cmd.exe"C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe"2⤵PID:3604
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Users\Admin\AppData\Local\Temp\c779c44651b3f0c11a913b74202de89dc091e5fc4f0e10eef63faaec51d57736.exe"2⤵PID:3436
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:4744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3416