Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 12:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payload.exe
-
Size
3.1MB
-
MD5
93ebd2582b92bda84dd7a781c9ccb087
-
SHA1
4f343fea4961e054ca980c38ec0ba31d235912fb
-
SHA256
2ee076dac5df5fe560093b56afe32431838e041e275b378b69198860cd290d11
-
SHA512
d9892b339b060ba57336a327aa52252b675b6b19bcedbe94c55f5bfad689a94688fa6b5c8597dc76bb3a216055ed7bd5bd108ecb84345660967df75f57ee7b4b
-
SSDEEP
49152:Nq3QscuJsVPCYc80pixEXY2QpvH8n7f9GioB08341OPc9:N0nJsVPBcexz2QpvHqD9Giod4OPc
Malware Config
Signatures
-
ParallaxRat payload 19 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/2812-5-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-10-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-11-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-12-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-13-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-14-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-15-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-16-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-17-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-18-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-19-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-20-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-21-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-22-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-23-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-24-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-25-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-26-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat behavioral2/memory/2812-27-0x0000000000400000-0x000000000042C000-memory.dmp parallax_rat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lefasc.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lefasc.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe 1624 payload.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1624 payload.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88 PID 1624 wrote to memory of 2812 1624 payload.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"2⤵PID:2812
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:4648