parallax | 1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2

General

Target

1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
Size

3.2MB
MD5

e890b231731a69c7fcc252bf6d8b59d6
SHA1

74d0fb7d0d4f6e314e8cb92a506bbc3e33fad2cd
SHA256

1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2
SHA512

0751518e5ca71f023b6f0b09f48168ebfd9d2fa97c1ae4be70eddfc672517515b3b36a913e540a74fdd13edb958bfc341f1f6a7a86104c13cf9d7d9673085c86

Score

10^/10

parallax ransomware rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1452-9-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1452	rundll32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Anydesk.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30
PID 1040 wrote to memory of 1452	1040	1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe	30

C:\Users\Admin\AppData\Local\Temp\1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe
"C:\Users\Admin\AppData\Local\Temp\1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Users\Admin\AppData\Local\Temp\1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2.exe"
  2⤵
  - Blocklisted process makes network request
  PID:1452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-2-0x0000000076311000-0x0000000076313000-memory.dmp

Filesize
8KB

Download
memory/1040-3-0x0000000000320000-0x000000000039B000-memory.dmp

Filesize
492KB

Download
memory/1040-7-0x0000000002170000-0x00000000022F0000-memory.dmp

Filesize
1.5MB

Download
memory/1452-8-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1452-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing