Overview

overview

10

Static

static

1

43b3cb0d8e...2f.exe

windows7-x64

10

43b3cb0d8e...2f.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    151s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2024 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43b3cb0d8ead9a35e8bcda2048c3312f.exe

  • Size

    201KB

  • MD5

    43b3cb0d8ead9a35e8bcda2048c3312f

  • SHA1

    ba6b0d323f7a84367318bee772fe5cef0aff8c4c

  • SHA256

    212289b78e550d8af514e2efe785521d8c6e439d46789993711bdfe5b0bb2e6e

  • SHA512

    8d976541f6795db207b4bf56fe6298126017322d6498fb7fd7f1b34e91068784d81e43efc7df131ece0b03476479afb7c91338396002edec4452a39b00e689a2

  • SSDEEP

    6144:Hza2Nj+MLxwkcWTq/81DDiSTz9nqEja3TXU0xtFb:HqEjk7l7Fb

Score
10/10
parallaxpersistenceratupx

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43b3cb0d8ead9a35e8bcda2048c3312f.exe
    "C:\Users\Admin\AppData\Local\Temp\43b3cb0d8ead9a35e8bcda2048c3312f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Local\Temp\43b3cb0d8ead9a35e8bcda2048c3312f.exe
      "C:\Users\Admin\AppData\Local\Temp\43b3cb0d8ead9a35e8bcda2048c3312f.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAVWK.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2740
      • C:\Users\Admin\AppData\Roaming\Security\security.exe
        "C:\Users\Admin\AppData\Roaming\Security\security.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Users\Admin\AppData\Roaming\Security\security.exe
          "C:\Users\Admin\AppData\Roaming\Security\security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2928
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
            PID:3044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\JAVWK.bat
      Filesize

      147B

      MD5

      6f473a1ba53e043362047f72e20b34f4

      SHA1

      e8f121a589e1207ed950453376ee1d21b1223835

      SHA256

      5fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b

      SHA512

      b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      201KB

      MD5

      5e7317034b96ad31d99edf9393a8fcab

      SHA1

      fa1da9050b79389a9f91e8370f2bfc2092eb731b

      SHA256

      93523e64a0a8b3340fb13e5179d1c092111223df22c494f366e867cbf532ee84

      SHA512

      a46d05b0acb8a44a8b346f2c472afe07c74b45592e7b46e2e00eabcf408deba7ecc242e00d6142c82c4e4c464d7547e68cb15ab2f363a193dc8e4b6842b97f09

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      190KB

      MD5

      c283c26065cd205aa29501dfc2d51294

      SHA1

      9e8d73847951c7702e743a0993f89bbe8fc70e4e

      SHA256

      6427af6b36819c33a323dea8a3cd4c1ed1e9a2578da6837e960906d2e65a04c5

      SHA512

      f01820566725b307b4375f59f6fd52f40dd5217763e11a9060f54fd1c5a3ae02b3109bf643140ee2c81f41909c98dfbb6a8e44048b88202f6b415373a8237d1e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      173KB

      MD5

      8303199d069ded12e9f1ff7609198928

      SHA1

      d95b13b31caf84f391f58927c4f6aa522d97b49d

      SHA256

      4b99b2bee93f0b1919237f8c4e16780ccb9c2c6e268e7211199475fdd1962d20

      SHA512

      4ef967db25d085530faed828d2bf41e654d5c290d8c8f278a7bbe8659c8c93a85cc1dc958e3605faf2c8062483f55fd6d91d03d121f2b712fcb32b6b5532ff9f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      179KB

      MD5

      fda23ffa13a5dc4ba7bf9c1345a64eb3

      SHA1

      606595fa0b442867ab437bc08d7d8a09a9ce1a1c

      SHA256

      8cc2d92f80462c5f7b96dc892bde917e9002f18405690163dd6fe660bbb40d9a

      SHA512

      a3c86fea5d235f6c8377024d99c2922ee87d5817813cd3a998759a676d6c63e8e48faa753049480f26c369cdb9363cc5562a0962c1ae6734e03a94b472667252

      Download Submit

    • \Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      7KB

      MD5

      921e05535c0caab4db83e246abeff3b8

      SHA1

      e9b421ed4640781dfe8421ea3010605b3cdbbc22

      SHA256

      79bdbf13b1d53c755d2ebe6aaa41ae6849d36f9ccd5574ab4912943eef2f83a4

      SHA512

      c4b5c07c1c308bdfe7ec2db397433460e1b16fe89f419aefb19a782cfb356443525de858ca988b5b4fc6e1c6c3fd1f6b0dc68ffa66db1c0b77c4f5ef48ed2cb2

      Download Submit

    • \Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      177KB

      MD5

      1c0d82bd8f3d0e24c5590086467e9c66

      SHA1

      91e05c79903b2efda3f9acb7755259fd86822b90

      SHA256

      c68e32d14a051e7947e46c62999ab8c6872fadf1e07f1d53f108b56dc1ed5703

      SHA512

      41f84df5b98bf002e60a438d181ce25126e8c0d0d8d17b976937fd57d21f0ef649a1eeea827fb940b914918645e7b95a293059e82501e124ac136bc300d2f165

      Download Submit

    • \Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      150KB

      MD5

      4569700ecb300043b2cc12c0fb7f85ab

      SHA1

      03c34b1cc74bed1ec303183681f7b46777906f52

      SHA256

      7d1c78c444ff9b83899c2ca0a93cee3d036b9823bd14cae8c6ca9e1d02ec1394

      SHA512

      b2f70de3368ba3a425ab9b8b9696fc5d42552387f05f3f084f28c383236d3ab4a11a42991bb7bdd883c8e85789f2aff0f7fd10fce86b6e2062b706f80f30fd85

      Download Submit

    • \Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      156KB

      MD5

      0da7da229f38aaa571b126ffbb6604ce

      SHA1

      ce379d5d94b7e951c9914c5bc7c96cc0f519d080

      SHA256

      0d7060c7e794560956ba7db109691cd566c66ab1def57b71a8cb182b0c89d594

      SHA512

      5680dcd0e007c2c09f71b6afbe0574516d76943665a62254f4a8a7a8b3f8465ea3f2da445de169ba111d9ea6c8bb589db05fd10e89b7a779f9ad93436afc7811

      Download Submit

    • \Users\Admin\AppData\Roaming\Security\security.exe
      Filesize

      197KB

      MD5

      282581402cc68f081d820c7aa98da6b7

      SHA1

      214dd573f63a168ed6927be2de08a2ba1dfe33f0

      SHA256

      fccd53114ebfe5c08857629a2c4a44c647eeb15b610c2bdfadf5f952e7f609eb

      SHA512

      ecf46f7eb4b581a7cb0135c3d12a7325fa043bf2d93b7c0acb29591df4d6097648688fb2d5821595e7af2ec534eda84af15ae2757955ef57da9ed1d1fadcdc05

      Download Submit

    • memory/392-393-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/392-399-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/392-899-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/632-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-16-0x00000000002D0000-0x00000000002D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-164-0x0000000000470000-0x0000000000471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-259-0x0000000002500000-0x0000000002501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-258-0x00000000024C0000-0x00000000024C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-97-0x0000000000370000-0x0000000000371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2608-582-0x00000000003F0000-0x00000000003F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2928-902-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download