parallax | bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4

General

Target

bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe
Size

2.4MB
MD5

3fbf2dadf2ae2aa59c175683a54f315e
SHA1

f9a5e44e563b1794477e70d1a0f368cc489a2d3c
SHA256

bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4
SHA512

a151a669baa2a86f21c13a22fbc4c627fb693be587081dd790555ac94fe88a587b988a6a89c68753288db1cbf9e1040aaf1848e05696a04936d8721669912884

Score

10^/10

parallax rat suricata

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/804-124-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe
2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe
2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe
2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe
2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 584	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	68
PID 2680 wrote to memory of 584	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	68
PID 2680 wrote to memory of 584	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	68
PID 2680 wrote to memory of 804	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	69
PID 2680 wrote to memory of 804	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	69
PID 2680 wrote to memory of 804	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	69
PID 2680 wrote to memory of 804	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	69
PID 2680 wrote to memory of 804	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	69
PID 2680 wrote to memory of 804	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	69
PID 2680 wrote to memory of 804	2680	bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe	69

C:\Users\Admin\AppData\Local\Temp\bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe
"C:\Users\Admin\AppData\Local\Temp\bd4d52cc6d6a213f9582edcf7d40664e4804f495bb6a6bfd0fc06be4a2b832d4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:584
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-119-0x0000000000F00000-0x0000000000F02000-memory.dmp

Filesize
8KB

Download
memory/804-122-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/804-121-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/804-123-0x0000000000F00000-0x0000000000F02000-memory.dmp

Filesize
8KB

Download
memory/804-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2680-118-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing