Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2023 22:33
Static task
static1
Behavioral task
behavioral1
Sample
GoDaddyChanges2023.exe
Resource
win7-20230220-en
windows7-x64
8 signatures
150 seconds
General
-
Target
GoDaddyChanges2023.exe
-
Size
19.0MB
-
MD5
2b24e35a767cdcb73808fb2ef3c6876a
-
SHA1
031cd6cb0a890968c168a290e109e1553b95bdf5
-
SHA256
69a145831b695d9e8d74ff634b8c0412ac93488d7bff1fc63d702ebf48333a5a
-
SHA512
aa7317c3701777d02854129f6b2308d0cba1657503f491de156f8b75fa80f5086b86fa7b4109df652722eab65c1f4bafab15973cfb02763364bd914240ee3a3c
-
SSDEEP
393216:mvFeJuTCvsmyI8BcQNOXnjmkehKUz+mXDHV5ZK0Gg:kIY5ZK0G
Malware Config
Signatures
-
ParallaxRat payload 4 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/424-140-0x0000000000400000-0x0000000001846000-memory.dmp parallax_rat behavioral2/memory/424-169-0x0000000000400000-0x0000000001846000-memory.dmp parallax_rat behavioral2/memory/424-177-0x0000000000400000-0x0000000001846000-memory.dmp parallax_rat behavioral2/memory/424-181-0x0000000000400000-0x0000000001846000-memory.dmp parallax_rat -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe 424 GoDaddyChanges2023.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1292 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1292 Explorer.EXE Token: SeCreatePagefilePrivilege 1292 Explorer.EXE Token: SeShutdownPrivilege 1292 Explorer.EXE Token: SeCreatePagefilePrivilege 1292 Explorer.EXE Token: SeShutdownPrivilege 1292 Explorer.EXE Token: SeCreatePagefilePrivilege 1292 Explorer.EXE Token: SeShutdownPrivilege 1292 Explorer.EXE Token: SeCreatePagefilePrivilege 1292 Explorer.EXE Token: SeShutdownPrivilege 1292 Explorer.EXE Token: SeCreatePagefilePrivilege 1292 Explorer.EXE Token: SeShutdownPrivilege 1292 Explorer.EXE Token: SeCreatePagefilePrivilege 1292 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 424 wrote to memory of 1292 424 GoDaddyChanges2023.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\GoDaddyChanges2023.exe"C:\Users\Admin\AppData\Local\Temp\GoDaddyChanges2023.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:424
-