Analysis
-
max time kernel
4294208s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
19-03-2022 20:29
Static task
static1
Behavioral task
behavioral1
Sample
5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
General
-
Target
5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe
-
Size
4.9MB
-
MD5
20895e7661c07d7668e22bf5865a75be
-
SHA1
f1783b80c5f2cd2ca1771a238015f8b2846610c6
-
SHA256
5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c
-
SHA512
ff06ee5df939b6b03d8ea8509cff28d103b2c8e1bf804b4e17942b29302b80d695cdb6e51b91d1991c6c7654e3c96c59b2b012fc4d8088dbed847510973dad18
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/456-61-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29 PID 792 wrote to memory of 456 792 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe"C:\Users\Admin\AppData\Local\Temp\5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\calc.exe"C:\Users\Admin\AppData\Local\Temp\5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe"2⤵PID:456
-