Analysis
-
max time kernel
137s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-03-2022 17:28
Static task
static1
Behavioral task
behavioral1
Sample
2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe
-
Size
568KB
-
MD5
e5a0e5c32dec2f65548cb42db24be82a
-
SHA1
838e5c3add083a8fa5612812b2821b05e29de982
-
SHA256
2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181
-
SHA512
d1d36cb71d0001974cdb165e484391769f909f20a82970a311e93582f4e299e4d04e355cd5500f98dfe5a7a40fc4570a957745a16fd247785b553fe15a37dc8b
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/4044-136-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dllhost.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dllhost.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84 PID 4028 wrote to memory of 4044 4028 2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe"C:\Users\Admin\AppData\Local\Temp\2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\2913f80f95ab29aaa2a217197233a96fb6a964cdd2fdd09e9396922b72316181.exe"2⤵PID:4044
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:3084