parallax | 1c10a7cf57b58de1cb5d0a6e1369a2cf5dd74fc1593c45b991dde7605ff01486

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
01-02-2021 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feedback_form.exe
Size

1.9MB
MD5

5431a710d8a0c6bc319125ea7c40efd1
SHA1

ae52c3ea465ced7137948a7be6630231affb94a0
SHA256

1c10a7cf57b58de1cb5d0a6e1369a2cf5dd74fc1593c45b991dde7605ff01486
SHA512

80910c4f85f680877cf59a5ceaea703a459636dd9e473febff1d35c3c0dc5405099ce604b0a9b98847b78b0b7b550b007fdb19a2ed7ab08f9587fdb30724d727

Score

10^/10

parallax ransomware rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1344-10-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Blocklisted process makes network request 91 IoCs

flow	pid	Process
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe
5	1344	rundll32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Protogent.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe
1732	feedback_form.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30
PID 1732 wrote to memory of 1344	1732	feedback_form.exe	30

C:\Users\Admin\AppData\Local\Temp\feedback_form.exe
"C:\Users\Admin\AppData\Local\Temp\feedback_form.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Users\Admin\AppData\Local\Temp\feedback_form.exe"
  2⤵
  - Blocklisted process makes network request
  PID:1344

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-9-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1344-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1732-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1732-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1732-7-0x0000000001FB0000-0x000000000202B000-memory.dmp

Filesize
492KB

Download
memory/1732-8-0x0000000002110000-0x0000000002290000-memory.dmp

Filesize
1.5MB

Download