Resubmissions
16-02-2023 18:21
230216-wzrrhsaf91 1007-02-2023 15:57
230207-tee6wace33 1007-02-2023 15:36
230207-s11h9sff3w 10Analysis
-
max time kernel
138s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 15:36
Static task
static1
Behavioral task
behavioral1
Sample
dot.exe
Resource
win7-20221111-en
General
-
Target
dot.exe
-
Size
3.4MB
-
MD5
ac88204b208f187a908c6a1148b7aee8
-
SHA1
74b895683f51a69f1bce838ac174c019a796cb1a
-
SHA256
fc97b364bebaf6b1b4baa16e906b4b9f9f8604034f0b9df1f7deb0418f3d229e
-
SHA512
2f5e6fff1f98403e987dd6a6a50df757604c8abe474d88143f04c6df6c8bfb4e62652f8f29f19acd834fd865998feaec4f03e2d9a48434ecb8c2cfad5e8e5e27
-
SSDEEP
24576:7cqJge1JYGhCP3dbTb2XShCFVshuhBcomEl+11s3jYx9pcualicf2IZ:kyXALoh+eQEualt7Z
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/4572-137-0x0000000000400000-0x0000000000778000-memory.dmp parallax_rat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation dot.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search64.exe.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search64.exe.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings dot.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 4572 dot.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3076 Explorer.EXE Token: SeCreatePagefilePrivilege 3076 Explorer.EXE Token: SeShutdownPrivilege 3076 Explorer.EXE Token: SeCreatePagefilePrivilege 3076 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1668 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe 1668 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 1668 4572 dot.exe 80 PID 4572 wrote to memory of 1668 4572 dot.exe 80 PID 4572 wrote to memory of 1668 4572 dot.exe 80 PID 4572 wrote to memory of 3076 4572 dot.exe 49 PID 1668 wrote to memory of 4240 1668 AcroRd32.exe 81 PID 1668 wrote to memory of 4240 1668 AcroRd32.exe 81 PID 1668 wrote to memory of 4240 1668 AcroRd32.exe 81 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 3748 4240 RdrCEF.exe 84 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85 PID 4240 wrote to memory of 1200 4240 RdrCEF.exe 85
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\dot.exe"C:\Users\Admin\AppData\Local\Temp\dot.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LMOyd.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C084F38E2530B35C86FCAD2AB5C3346 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3748
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5A40B7B4BF661A330AD550E989076B28 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5A40B7B4BF661A330AD550E989076B28 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:15⤵PID:1200
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24B1ECA425CD1D02BC2F7F544BAB91C4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24B1ECA425CD1D02BC2F7F544BAB91C4 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:15⤵PID:4312
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A72C4A6B5E33FFD72C27EE1210D4B4DF --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:228
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF2BACB86C1A75001EABCCB0054C90A9 --mojo-platform-channel-handle=1820 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2772
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B851599962AFD50C5ABE621FAE75043 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4488
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:2144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD530180336f09f66d50a46a31b0e67e580
SHA1172af56223f37d7bec8ebc0ed3584bddbe167f88
SHA256f361d01c7a799b937b182ebc961538b0609aa469651da1d7879605ec41b15c41
SHA512d42cf1827accef0e73915d12b53c0cefeaad5a1fcf30dd9ca86187d5b234be81b6065394cc40a58d38bc6c841c21f732613db98fa1a69c1b7352932ff2fc1772