Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
9a35dda6735102f5aac7876c73f7863a.exe
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
General
-
Target
9a35dda6735102f5aac7876c73f7863a.exe
-
Size
3.4MB
-
MD5
9a35dda6735102f5aac7876c73f7863a
-
SHA1
a3024cae3ab158800dbaa0f1de903ef12270cd83
-
SHA256
7220bd358f7a359fba4e076252af1c06eddf175463b32a03aa1d59b199c684de
-
SHA512
d02924c32a3abe9f411fa8247e36af462869618fb36df887c9426d0d21193117f6f91ed374aeeb9b3c6035b0a4c5542b47403355bd0e587d1a76431d522c7d8b
-
SSDEEP
49152:1wFa6xRMO/S5iS40B1sY4W3vsDPTEPFrHZIR9:8xqO44W3vsDGVHZE
Malware Config
Signatures
-
ParallaxRat payload 19 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/2956-3-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-12-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-13-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-14-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-15-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-16-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-17-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-18-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-19-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-20-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-21-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-22-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-23-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-24-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-25-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-26-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-27-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-28-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat behavioral1/memory/2956-35-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Blocklisted process makes network request 64 IoCs
flow pid Process 2 2956 rundll32.exe 3 2956 rundll32.exe 4 2956 rundll32.exe 5 2956 rundll32.exe 6 2956 rundll32.exe 7 2956 rundll32.exe 8 2956 rundll32.exe 9 2956 rundll32.exe 10 2956 rundll32.exe 11 2956 rundll32.exe 12 2956 rundll32.exe 13 2956 rundll32.exe 14 2956 rundll32.exe 15 2956 rundll32.exe 16 2956 rundll32.exe 17 2956 rundll32.exe 18 2956 rundll32.exe 19 2956 rundll32.exe 20 2956 rundll32.exe 21 2956 rundll32.exe 22 2956 rundll32.exe 23 2956 rundll32.exe 24 2956 rundll32.exe 25 2956 rundll32.exe 26 2956 rundll32.exe 27 2956 rundll32.exe 28 2956 rundll32.exe 29 2956 rundll32.exe 30 2956 rundll32.exe 31 2956 rundll32.exe 32 2956 rundll32.exe 33 2956 rundll32.exe 34 2956 rundll32.exe 35 2956 rundll32.exe 36 2956 rundll32.exe 37 2956 rundll32.exe 38 2956 rundll32.exe 39 2956 rundll32.exe 40 2956 rundll32.exe 41 2956 rundll32.exe 42 2956 rundll32.exe 43 2956 rundll32.exe 44 2956 rundll32.exe 45 2956 rundll32.exe 46 2956 rundll32.exe 47 2956 rundll32.exe 48 2956 rundll32.exe 49 2956 rundll32.exe 50 2956 rundll32.exe 51 2956 rundll32.exe 52 2956 rundll32.exe 53 2956 rundll32.exe 54 2956 rundll32.exe 55 2956 rundll32.exe 56 2956 rundll32.exe 57 2956 rundll32.exe 58 2956 rundll32.exe 59 2956 rundll32.exe 60 2956 rundll32.exe 61 2956 rundll32.exe 62 2956 rundll32.exe 63 2956 rundll32.exe 64 2956 rundll32.exe 65 2956 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe 2880 9a35dda6735102f5aac7876c73f7863a.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 2956 2880 9a35dda6735102f5aac7876c73f7863a.exe 28 PID 2880 wrote to memory of 1380 2880 9a35dda6735102f5aac7876c73f7863a.exe 8
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\9a35dda6735102f5aac7876c73f7863a.exe"C:\Users\Admin\AppData\Local\Temp\9a35dda6735102f5aac7876c73f7863a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\9a35dda6735102f5aac7876c73f7863a.exe"3⤵
- Blocklisted process makes network request
PID:2956
-
-