parallax | 45a2d3f5d335b45b143d0f66cf50e5478e36a104d08d328099cb14fb9f5a827d

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
05-12-2020 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

1.2MB
MD5

33002b60b9e6fd6307e2eeaf2bcf78b6
SHA1

1e641d295cbe6c6d27f03eda190e1470a83e5d98
SHA256

829fce14ac8b9ad293076c16a1750502c6b303123c9bd0fb17c1772330577d65
SHA512

00090799c2317aec2f16553a49ca1dcc8add6bc550f0fc4a05826aa32366b845655ed9294cbbf3dd2b0e83c6fef9bcd25e90662de36e11218fb711fe9e203c80

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/3912-4-0x000000000D410000-0x000000000D43B000-memory.dmp	parallax_rat

Blocklisted process makes network request 76 IoCs

flow	pid	Process
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe
24	1512	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\iexplore.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2432	sample.exe
3912	mstsc.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3912	mstsc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeIncreaseQuotaPrivilege	3148	powershell.exe
Token: SeSecurityPrivilege	3148	powershell.exe
Token: SeTakeOwnershipPrivilege	3148	powershell.exe
Token: SeLoadDriverPrivilege	3148	powershell.exe
Token: SeSystemProfilePrivilege	3148	powershell.exe
Token: SeSystemtimePrivilege	3148	powershell.exe
Token: SeProfSingleProcessPrivilege	3148	powershell.exe
Token: SeIncBasePriorityPrivilege	3148	powershell.exe
Token: SeCreatePagefilePrivilege	3148	powershell.exe
Token: SeBackupPrivilege	3148	powershell.exe
Token: SeRestorePrivilege	3148	powershell.exe
Token: SeShutdownPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeSystemEnvironmentPrivilege	3148	powershell.exe
Token: SeRemoteShutdownPrivilege	3148	powershell.exe
Token: SeUndockPrivilege	3148	powershell.exe
Token: SeManageVolumePrivilege	3148	powershell.exe
Token: 33	3148	powershell.exe
Token: 34	3148	powershell.exe
Token: 35	3148	powershell.exe
Token: 36	3148	powershell.exe

Suspicious use of WriteProcessMemory 163 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 2432 wrote to memory of 3912	2432	sample.exe	75
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3912 wrote to memory of 1512	3912	mstsc.exe	79
PID 3260 wrote to memory of 200	3260	DllHost.exe	83
PID 3260 wrote to memory of 200	3260	DllHost.exe	83
PID 200 wrote to memory of 3148	200	cmd.exe	86
PID 200 wrote to memory of 3148	200	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\system32\mstsc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    PID:1512

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:3260
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1985363256-3005190890-1182679451-1000\"""
  2⤵
  PID:200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1985363256-3005190890-1182679451-1000\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3148-9-0x00007FFD88300000-0x00007FFD88CEC000-memory.dmp

Filesize
9.9MB

Download
memory/3148-10-0x000001E4B8580000-0x000001E4B8581000-memory.dmp

Filesize
4KB

Download
memory/3148-11-0x000001E4B8730000-0x000001E4B8731000-memory.dmp

Filesize
4KB

Download
memory/3912-3-0x000000000CF00000-0x000000000CF36000-memory.dmp

Filesize
216KB

Download
memory/3912-4-0x000000000D410000-0x000000000D43B000-memory.dmp

Filesize
172KB

Download