Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 12:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payload.exe
-
Size
3.1MB
-
MD5
93ebd2582b92bda84dd7a781c9ccb087
-
SHA1
4f343fea4961e054ca980c38ec0ba31d235912fb
-
SHA256
2ee076dac5df5fe560093b56afe32431838e041e275b378b69198860cd290d11
-
SHA512
d9892b339b060ba57336a327aa52252b675b6b19bcedbe94c55f5bfad689a94688fa6b5c8597dc76bb3a216055ed7bd5bd108ecb84345660967df75f57ee7b4b
-
SSDEEP
49152:Nq3QscuJsVPCYc80pixEXY2QpvH8n7f9GioB08341OPc9:N0nJsVPBcexz2QpvHqD9Giod4OPc
Malware Config
Signatures
-
ParallaxRat payload 21 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/2740-6-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-5-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-7-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-8-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-13-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-19-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-20-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-21-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-22-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-23-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-24-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-25-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-26-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-27-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-28-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-31-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-30-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-29-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-32-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-33-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral1/memory/2740-34-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lefasc.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe 2060 payload.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2060 payload.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29 PID 2060 wrote to memory of 2740 2060 payload.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"2⤵PID:2740
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:2696