Analysis
-
max time kernel
4294222s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
20-03-2022 02:37
Static task
static1
Behavioral task
behavioral1
Sample
fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
General
-
Target
fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe
-
Size
872KB
-
MD5
e4fb6da4206e2aa524439c9e7bb5f399
-
SHA1
19b93e426a64c7ae0c8705b472468655e9992ca6
-
SHA256
fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d
-
SHA512
4d200eb80c2712422322d7b4dcb196b900e1ca7e11bb27599896961cb21c61772d7812c477b0d4cab9bbb79da6ce9c2b03159f8faf3018a0cd85d939eee37c88
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/1500-64-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\montr.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28 PID 1996 wrote to memory of 1500 1996 fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe"C:\Users\Admin\AppData\Local\Temp\fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Users\Admin\AppData\Local\Temp\fc07371c92faebf79d7c407e16bd093eb0274880af99c14a1b726949e89d3a8d.exe"2⤵PID:1500
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:1640