Analysis
-
max time kernel
152s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
11-10-2022 15:12
General
-
Target
a51d7468c145280e97fbfa442f6f03caa984539e9b1bf5d53ccb866deab04683.exe
-
Size
201KB
-
MD5
27689a3abc46a9541375d2fc11930376
-
SHA1
d28aa1818c54105d85e3c80cbee41da61e626846
-
SHA256
a51d7468c145280e97fbfa442f6f03caa984539e9b1bf5d53ccb866deab04683
-
SHA512
d30a5f06f8c0becf42a45c0f9804cbba655372d908aa3c62b2f9b66932c719b35afcbb48035e4796bb2a7aae79ede2e9ac20f7afaf3f1c2529b5a185bbe21f94
-
SSDEEP
6144:Hza2Nj+MLxwkcWTq/81DDiSTz9nqEja3TXU0xtFu:HqEjk7l7Fu
Malware Config
Signatures
-
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a51d7468c145280e97fbfa442f6f03caa984539e9b1bf5d53ccb866deab04683.exe"C:\Users\Admin\AppData\Local\Temp\a51d7468c145280e97fbfa442f6f03caa984539e9b1bf5d53ccb866deab04683.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a51d7468c145280e97fbfa442f6f03caa984539e9b1bf5d53ccb866deab04683.exe"C:\Users\Admin\AppData\Local\Temp\a51d7468c145280e97fbfa442f6f03caa984539e9b1bf5d53ccb866deab04683.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PCGCA.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f4⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Security\security.exe"C:\Users\Admin\AppData\Roaming\Security\security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD56f473a1ba53e043362047f72e20b34f4
SHA1e8f121a589e1207ed950453376ee1d21b1223835
SHA2565fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b
SHA512b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
201KB
MD511c9bfd6e3507de735e581900f6c3f32
SHA1f017c5c83e8c0fc481c62944822c3186f1a1b2df
SHA2566a53d0a9f731db8dc836bfcdf7c9f9e0d4139408f80f0ce647d6811cecda11e1
SHA512a015666f5ada231c1e16816bad01ee10289559a0520dff0c7432fad62478fa5a2cee44e8d49673152f824fd83ab0719ef9162f67357e63e906955910d6eea1ff
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
8KB
-
Filesize
72KB