Analysis

  • max time kernel
    150s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    18-04-2022 09:27

General

  • Target

    7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe

  • Size

    510KB

  • MD5

    9564841aec80fb40ee9c1c431d85e28b

  • SHA1

    2e7b383bb344e69fd7168f000b6ba62b4aeec2d7

  • SHA256

    7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0

  • SHA512

    11e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c

Score
10/10

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 3 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe
    "C:\Users\Admin\AppData\Local\Temp\7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe"
      2⤵
        PID:1156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:844

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe

        Filesize

        510KB

        MD5

        9564841aec80fb40ee9c1c431d85e28b

        SHA1

        2e7b383bb344e69fd7168f000b6ba62b4aeec2d7

        SHA256

        7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0

        SHA512

        11e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe

        Filesize

        510KB

        MD5

        9564841aec80fb40ee9c1c431d85e28b

        SHA1

        2e7b383bb344e69fd7168f000b6ba62b4aeec2d7

        SHA256

        7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0

        SHA512

        11e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c

      • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe

        Filesize

        510KB

        MD5

        9564841aec80fb40ee9c1c431d85e28b

        SHA1

        2e7b383bb344e69fd7168f000b6ba62b4aeec2d7

        SHA256

        7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0

        SHA512

        11e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c

      • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe

        Filesize

        510KB

        MD5

        9564841aec80fb40ee9c1c431d85e28b

        SHA1

        2e7b383bb344e69fd7168f000b6ba62b4aeec2d7

        SHA256

        7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0

        SHA512

        11e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c

      • memory/360-55-0x00000000003B0000-0x00000000003C8000-memory.dmp

        Filesize

        96KB

      • memory/360-54-0x00000000002F0000-0x0000000000372000-memory.dmp

        Filesize

        520KB

      • memory/844-65-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

      • memory/844-70-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

      • memory/2008-63-0x0000000000810000-0x0000000000892000-memory.dmp

        Filesize

        520KB

      • memory/2008-62-0x0000000075E31000-0x0000000075E33000-memory.dmp

        Filesize

        8KB