parallax | 9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3

General

Target

9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
Size

6.7MB
MD5

e7955b7487f9be142b49b64aa511bc7a
SHA1

6c644f1ca1226feaec45935e890504ac154d183c
SHA256

9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
SHA512

e8c49950a6101c7d3cc73c6efd7343a84da2c293012eb7c33777244d1ed9c1b344d46ff81c691ad6c5ed2103cd51dbdd16fa73b9dbc93df07b3c0417e206b502

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/2692-6-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	2692	rundll32.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQ.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQ.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76
PID 512 wrote to memory of 2692	512	9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe	76

C:\Users\Admin\AppData\Local\Temp\9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe
"C:\Users\Admin\AppData\Local\Temp\9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Users\Admin\AppData\Local\Temp\9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3.exe"
  2⤵
  - Blocklisted process makes network request
  PID:2692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/512-2-0x0000000000F10000-0x0000000000F8B000-memory.dmp

Filesize
492KB

Download
memory/512-4-0x00000000027D0000-0x000000000295E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-5-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2692-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing