Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 09:27
Static task
static1
Behavioral task
behavioral1
Sample
7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe
Resource
win7-20220414-en
General
-
Target
7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe
-
Size
510KB
-
MD5
9564841aec80fb40ee9c1c431d85e28b
-
SHA1
2e7b383bb344e69fd7168f000b6ba62b4aeec2d7
-
SHA256
7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0
-
SHA512
11e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c
Malware Config
Signatures
-
ParallaxRat payload 3 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/1680-140-0x0000000000000000-mapping.dmp parallax_rat behavioral2/memory/1680-141-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat behavioral2/memory/1680-144-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat -
Executes dropped EXE 1 IoCs
pid Process 3020 applaunch.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\applaunch.lnk applaunch.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3020 set thread context of 1680 3020 applaunch.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4740 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe Token: SeDebugPrivilege 3020 applaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4740 wrote to memory of 1968 4740 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe 84 PID 4740 wrote to memory of 1968 4740 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe 84 PID 4740 wrote to memory of 1968 4740 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe 84 PID 4740 wrote to memory of 1512 4740 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe 86 PID 4740 wrote to memory of 1512 4740 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe 86 PID 4740 wrote to memory of 1512 4740 7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe 86 PID 1512 wrote to memory of 3020 1512 cmd.exe 88 PID 1512 wrote to memory of 3020 1512 cmd.exe 88 PID 1512 wrote to memory of 3020 1512 cmd.exe 88 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89 PID 3020 wrote to memory of 1680 3020 applaunch.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe"C:\Users\Admin\AppData\Local\Temp\7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe"2⤵PID:1968
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\applaunch.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1680
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
510KB
MD59564841aec80fb40ee9c1c431d85e28b
SHA12e7b383bb344e69fd7168f000b6ba62b4aeec2d7
SHA2567a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0
SHA51211e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c
-
Filesize
510KB
MD59564841aec80fb40ee9c1c431d85e28b
SHA12e7b383bb344e69fd7168f000b6ba62b4aeec2d7
SHA2567a03f290d1527d11d034c9da40b7fcdcc351e0664592e1ee975c0dc12b7dfab0
SHA51211e1da2d7fb6a5caeae443a0c09b951c4e7557873b3ba346f098ef2a73f285d773e86380bdc66340c350e64e0b66a81e23d725cc13902853a677d7f3d89a7b2c