Analysis
-
max time kernel
4294209s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
26-02-2022 06:56
Static task
static1
Behavioral task
behavioral1
Sample
b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe
Resource
win10v2004-en-20220113
General
-
Target
b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe
-
Size
1016KB
-
MD5
cf04ef7185ddf7d7eb50cdda20987b52
-
SHA1
300e4d06ce151141c8b858c2a752be1fa0d53ad8
-
SHA256
b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3
-
SHA512
e596a1ce2a0d24681289f7e84ed24fe70a768bdb160eda5c4c39be3dd061d1cdf0309792aef03c2944e51fc630a3f2f7aa693c1e984aef69762f4bb3d77e98e7
Malware Config
Signatures
-
ParallaxRat payload 2 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/1056-56-0x0000000000400000-0x0000000000507000-memory.dmp parallax_rat behavioral1/memory/580-59-0x0000000000400000-0x0000000000507000-memory.dmp parallax_rat -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\csrss.exe.exe" csrss.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1056 b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1056 wrote to memory of 580 1056 b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe 27 PID 1056 wrote to memory of 580 1056 b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe 27 PID 1056 wrote to memory of 580 1056 b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe 27 PID 1056 wrote to memory of 580 1056 b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe"C:\Users\Admin\AppData\Local\Temp\b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\System32\csrss.exe.exe"C:\Users\Admin\AppData\Roaming\System32\csrss.exe.exe"2⤵
- Adds Run key to start application
PID:580
-