Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-03-2022 01:10
Static task
static1
Behavioral task
behavioral1
Sample
98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe
-
Size
5.5MB
-
MD5
af420bd7d59f2a472f7c948f4689f17a
-
SHA1
1df590efa5f7be1c0ad1171180326793f16c43ce
-
SHA256
98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b
-
SHA512
324410bfb594f9f76195c8519fed98fb267a99b00d020bc1cf202e03a8abea16b3a2ac11a593c5487476b3e48b42158202535ae5c094c0661a5f7d3a6c7c7b28
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/1144-140-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpm.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpm.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67 PID 212 wrote to memory of 1144 212 98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe"C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe"2⤵PID:1144
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:3204