Analysis
-
max time kernel
39s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-05-2022 08:01
Static task
static1
Behavioral task
behavioral1
Sample
Scribe.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Scribe.exe
-
Size
2.0MB
-
MD5
a0fc62c608603f02cae7a7103625cbca
-
SHA1
2c6961b447b9b20aca8da625923568e79f40066f
-
SHA256
152cd4630ca5b31679f9af5b5226869962d0631276a3b9ab3af71bbe5c87ab46
-
SHA512
9a441c607ef833632e37db705d03c5cec147659b07548eb2c2f46f047d3425110787b9675e91eb5196897e32eedecdc5bf96f5fd681e5d6ed86831ed3af54a5f
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/1416-58-0x0000000000400000-0x0000000000690000-memory.dmp parallax_rat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\carlreciver.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe 1416 Scribe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1416 Scribe.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 1416 wrote to memory of 1220 1416 Scribe.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\Scribe.exe"C:\Users\Admin\AppData\Local\Temp\Scribe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:964