Analysis
-
max time kernel
10s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 08:03
Static task
static1
Behavioral task
behavioral1
Sample
sss.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
General
-
Target
sss.exe
-
Size
2.3MB
-
MD5
69b85492367598683cc28f7353148a5c
-
SHA1
e03f54756a9628a142ee2cb2a9190dd1511b5336
-
SHA256
50390617ca0f0b27057a4447414d7799996b69e615bea931a31d673394d92695
-
SHA512
658e39b982d48317dd659b5a303b89079f68ccdd1dfcf3fe373cf23ddb71a998627e1966b74e08596635e2ac9056fc372ae16b2c4816ca09fbb7adc62920da32
-
SSDEEP
49152:Eq3QscuJsVPCYc80pixEXY2QpvH8nzf9Gion08mkCSgo:E0nJsVPBcexz2QpvHqL9GiouSx
Malware Config
Signatures
-
ParallaxRat payload 18 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/764-4-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-5-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-10-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-17-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-20-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-19-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-18-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-16-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-15-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-14-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-13-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-12-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-11-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-9-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-8-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-7-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-6-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat behavioral2/memory/764-23-0x0000000003BC0000-0x0000000003BEC000-memory.dmp parallax_rat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe 764 sss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 764 sss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sss.exe"C:\Users\Admin\AppData\Local\Temp\sss.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵PID:4864