Analysis
-
max time kernel
148s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2023 05:29
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
10 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
3.9MB
-
MD5
40256ea622aa1d0678f5bde48b9aa0fb
-
SHA1
ba9dc2820ff412f06ca986dd03af1880d5a60f41
-
SHA256
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
-
SHA512
04f9be55aeb88ff4f11b786f10e1bbcfa5cc1cf0b54f56d2d68fe067b0ada592f6aac93148cfbfe23916bbbe581669befebc4e95630f8c3e76303bc8e69ff450
-
SSDEEP
6144:DYh6ApoWrujS9yeoh6VVK7xvYTMxgUHgufnKiXybpsb:0h6ApVruja5oh2K755KUH5nNXylS
Malware Config
Signatures
-
ParallaxRat payload 10 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/3456-137-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-138-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-139-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-140-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-141-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-142-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-143-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-144-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-145-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/3456-155-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milk.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milk.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe 4748 tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3128 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3456 4748 tmp.exe 81 PID 4748 wrote to memory of 3128 4748 tmp.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵PID:3456
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:4948