Analysis

  • max time kernel
    4294211s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    09-03-2022 01:10

General

  • Target

    98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe

  • Size

    5.5MB

  • MD5

    af420bd7d59f2a472f7c948f4689f17a

  • SHA1

    1df590efa5f7be1c0ad1171180326793f16c43ce

  • SHA256

    98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b

  • SHA512

    324410bfb594f9f76195c8519fed98fb267a99b00d020bc1cf202e03a8abea16b3a2ac11a593c5487476b3e48b42158202535ae5c094c0661a5f7d3a6c7c7b28

Score
10/10

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe
    "C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe"
      2⤵
        PID:1496
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
      1⤵
      • Drops startup file
      PID:568

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1496-58-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

    • memory/1496-62-0x00000000000D0000-0x00000000000D1000-memory.dmp

      Filesize

      4KB

    • memory/1496-63-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/1704-54-0x0000000075CC1000-0x0000000075CC3000-memory.dmp

      Filesize

      8KB

    • memory/1704-55-0x0000000000220000-0x000000000029B000-memory.dmp

      Filesize

      492KB

    • memory/1704-56-0x00000000771E0000-0x0000000077360000-memory.dmp

      Filesize

      1.5MB

    • memory/1704-61-0x00000000022F0000-0x0000000002470000-memory.dmp

      Filesize

      1.5MB