Analysis

  • max time kernel
    4294225s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    19-03-2022 16:27

General

  • Target

    fb0e29d13c0d6f91a13ff92ab66aaf70200e65842d7c4ecf45b0d3afaf7d12d3.exe

  • Size

    887KB

  • MD5

    11a38e5469c9c0accdcc5c9663fee890

  • SHA1

    3ebb8eb0353703bafbe9108eff332d55f0e801b4

  • SHA256

    fb0e29d13c0d6f91a13ff92ab66aaf70200e65842d7c4ecf45b0d3afaf7d12d3

  • SHA512

    82a62d52d22b756b9ac91659c7e781123645c91a64db0daa952fabe49e20dc9bb8a8e5b71773dd9e8b5fadce1810190d5d2186ce5138127c62987aa13f6f2354

Score
10/10

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb0e29d13c0d6f91a13ff92ab66aaf70200e65842d7c4ecf45b0d3afaf7d12d3.exe
    "C:\Users\Admin\AppData\Local\Temp\fb0e29d13c0d6f91a13ff92ab66aaf70200e65842d7c4ecf45b0d3afaf7d12d3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Users\Admin\AppData\Local\Temp\fb0e29d13c0d6f91a13ff92ab66aaf70200e65842d7c4ecf45b0d3afaf7d12d3.exe"
      2⤵
        PID:2040
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
      1⤵
      • Drops startup file
      PID:1264

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2016-54-0x0000000075801000-0x0000000075803000-memory.dmp

      Filesize

      8KB

    • memory/2016-55-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/2016-56-0x00000000021D0000-0x000000000224B000-memory.dmp

      Filesize

      492KB

    • memory/2016-57-0x0000000077D70000-0x0000000077EF0000-memory.dmp

      Filesize

      1.5MB

    • memory/2016-62-0x0000000003120000-0x00000000032A0000-memory.dmp

      Filesize

      1.5MB

    • memory/2040-59-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

    • memory/2040-63-0x00000000000D0000-0x00000000000D1000-memory.dmp

      Filesize

      4KB

    • memory/2040-64-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB