parallax | d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b

General

Target

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe
Size

2.0MB
MD5

4abef812fd4cc15769b94ad459d0c5e2
SHA1

bb772e658af670d38efe94d075a0c57d312af6b1
SHA256

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b
SHA512

fe77e6fbba1cf74df4e080948e3c341733167e0bb70bee34aae8175188cdf31e56e00fbaf7f39f65e9d4c4c489bbaea24b0bda522b67e5a2c365a223a385af02

Score

10^/10

parallax rat suricata upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1036-84-0x0000000000400000-0x0000000000427000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1036-84-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1264	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	28
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	28
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	28
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	28
PID 1472 wrote to memory of 1404	1472	cmd.exe	30
PID 1472 wrote to memory of 1404	1472	cmd.exe	30
PID 1472 wrote to memory of 1404	1472	cmd.exe	30
PID 1472 wrote to memory of 1404	1472	cmd.exe	30
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	31
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	31
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	31
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	31
PID 976 wrote to memory of 1264	976	cmd.exe	33
PID 976 wrote to memory of 1264	976	cmd.exe	33
PID 976 wrote to memory of 1264	976	cmd.exe	33
PID 976 wrote to memory of 1264	976	cmd.exe	33
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	34

C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe
"C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c xcopy "C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" "%AppData%\Security\" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" "C:\Users\Admin\AppData\Roaming\Security\" /y
    3⤵
    - Enumerates system info in registry
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%AppData%\Security\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" /it /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Users\Admin\AppData\Roaming\Security\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" /it /f
    3⤵
    - Creates scheduled task(s)
    PID:1264
- C:\Windows\SysWOW64\sxstrace.exe
  C:\Windows\System32\sxstrace.exe
  2⤵
  PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-84-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1036-70-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1036-82-0x0000000001D50000-0x0000000001ED0000-memory.dmp

Filesize
1.5MB

Download
memory/1036-80-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1036-83-0x0000000001D50000-0x0000000001ED0000-memory.dmp

Filesize
1.5MB

Download
memory/1036-85-0x0000000000417000-0x0000000000426000-memory.dmp

Filesize
60KB

Download
memory/1728-71-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-58-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1728-76-0x000000004A900000-0x000000004A94C000-memory.dmp

Filesize
304KB

Download
memory/1728-55-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download
memory/1728-75-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-72-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-73-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-74-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-68-0x0000000015910000-0x0000000015924000-memory.dmp

Filesize
80KB

Download
memory/1728-69-0x0000000015910000-0x0000000015924000-memory.dmp

Filesize
80KB

Download
memory/1728-63-0x00000000021B0000-0x0000000002330000-memory.dmp

Filesize
1.5MB

Download
memory/1728-79-0x000000004A900000-0x000000004A94C000-memory.dmp

Filesize
304KB

Download
memory/1728-62-0x00000000021B0000-0x0000000002330000-memory.dmp

Filesize
1.5MB

Download
memory/1728-77-0x000000004A900000-0x000000004A94C000-memory.dmp

Filesize
304KB

Download
memory/1728-61-0x00000000021B0000-0x0000000002330000-memory.dmp

Filesize
1.5MB

Download
memory/1728-60-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1728-59-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1728-56-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads