Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    09-03-2022 01:10

General

  • Target

    98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe

  • Size

    5.5MB

  • MD5

    af420bd7d59f2a472f7c948f4689f17a

  • SHA1

    1df590efa5f7be1c0ad1171180326793f16c43ce

  • SHA256

    98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b

  • SHA512

    324410bfb594f9f76195c8519fed98fb267a99b00d020bc1cf202e03a8abea16b3a2ac11a593c5487476b3e48b42158202535ae5c094c0661a5f7d3a6c7c7b28

Score
10/10

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe
    "C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Users\Admin\AppData\Local\Temp\98c0aced2f9a5bc1b55f1c52e31861a0d99e8932e9646d83c1b87ac4c81d541b.exe"
      2⤵
        PID:1144
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
      1⤵
      • Drops startup file
      PID:3204

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/212-133-0x0000000000DE0000-0x0000000000E5B000-memory.dmp

      Filesize

      492KB

    • memory/212-134-0x0000000076F80000-0x0000000077123000-memory.dmp

      Filesize

      1.6MB

    • memory/212-136-0x00000000026D0000-0x0000000002873000-memory.dmp

      Filesize

      1.6MB

    • memory/1144-138-0x0000000076F80000-0x0000000077123000-memory.dmp

      Filesize

      1.6MB

    • memory/1144-139-0x0000000003000000-0x0000000003001000-memory.dmp

      Filesize

      4KB

    • memory/1144-140-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB