parallax | d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b

General

Target

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe
Size

2.0MB
MD5

4abef812fd4cc15769b94ad459d0c5e2
SHA1

bb772e658af670d38efe94d075a0c57d312af6b1
SHA256

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b
SHA512

fe77e6fbba1cf74df4e080948e3c341733167e0bb70bee34aae8175188cdf31e56e00fbaf7f39f65e9d4c4c489bbaea24b0bda522b67e5a2c365a223a385af02

Score

10^/10

parallax rat suricata upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral1/memory/1036-84-0x0000000000400000-0x0000000000427000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1036-84-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1264 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

pid process

1728 d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

pid process

1728 d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

pid process

1728 d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

pid	process
1264	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

pid	process
1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

pid	process
1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.execmd.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 1728 wrote to memory of 1472	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 1472 wrote to memory of 1404	1472	cmd.exe	xcopy.exe
PID 1472 wrote to memory of 1404	1472	cmd.exe	xcopy.exe
PID 1472 wrote to memory of 1404	1472	cmd.exe	xcopy.exe
PID 1472 wrote to memory of 1404	1472	cmd.exe	xcopy.exe
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 1728 wrote to memory of 976	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	cmd.exe
PID 976 wrote to memory of 1264	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1264	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1264	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1264	976	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe
PID 1728 wrote to memory of 1036	1728	d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe	sxstrace.exe

C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe
"C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c xcopy "C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" "%AppData%\Security\" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Temp\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" "C:\Users\Admin\AppData\Roaming\Security\" /y
3⤵
- Enumerates system info in registry
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%AppData%\Security\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" /it /f
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Users\Admin\AppData\Roaming\Security\d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b.exe" /it /f
3⤵
- Creates scheduled task(s)
PID:1264

C:\Windows\SysWOW64\sxstrace.exe
C:\Windows\System32\sxstrace.exe
2⤵
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-66-0x0000000000000000-mapping.dmp

Download
memory/1036-78-0x0000000000000000-mapping.dmp

Download
memory/1036-84-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1036-70-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1036-82-0x0000000001D50000-0x0000000001ED0000-memory.dmp

Filesize
1.5MB

Download
memory/1036-80-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1036-83-0x0000000001D50000-0x0000000001ED0000-memory.dmp

Filesize
1.5MB

Download
memory/1036-85-0x0000000000417000-0x0000000000426000-memory.dmp

Filesize
60KB

Download
memory/1264-67-0x0000000000000000-mapping.dmp

Download
memory/1404-65-0x0000000000000000-mapping.dmp

Download
memory/1472-64-0x0000000000000000-mapping.dmp

Download
memory/1728-71-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-58-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1728-76-0x000000004A900000-0x000000004A94C000-memory.dmp

Filesize
304KB

Download
memory/1728-55-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download
memory/1728-75-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-72-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-73-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-74-0x000000004A200000-0x000000004A24C000-memory.dmp

Filesize
304KB

Download
memory/1728-68-0x0000000015910000-0x0000000015924000-memory.dmp

Filesize
80KB

Download
memory/1728-69-0x0000000015910000-0x0000000015924000-memory.dmp

Filesize
80KB

Download
memory/1728-63-0x00000000021B0000-0x0000000002330000-memory.dmp

Filesize
1.5MB

Download
memory/1728-79-0x000000004A900000-0x000000004A94C000-memory.dmp

Filesize
304KB

Download
memory/1728-62-0x00000000021B0000-0x0000000002330000-memory.dmp

Filesize
1.5MB

Download
memory/1728-77-0x000000004A900000-0x000000004A94C000-memory.dmp

Filesize
304KB

Download
memory/1728-61-0x00000000021B0000-0x0000000002330000-memory.dmp

Filesize
1.5MB

Download
memory/1728-60-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1728-59-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1728-56-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads