parallax | 30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c

General

Target

30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
Size

645KB
MD5

e68e0aebbf004b1fd55018a03e3b634f
SHA1

e97810b8a8f700dc7cdf284e774d74e975686d87
SHA256

30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c
SHA512

38da5d322a435a5ac2e2f6a322dbbff4f01a2d3a8b639aafde72000126bcfb8937f242570c334c819ad5728c5402cdd97a12750eef37ce8173c3b31950b2498a

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1964-133-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssl.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssl.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86
PID 3592 wrote to memory of 1964	3592	30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe	86

C:\Users\Admin\AppData\Local\Temp\30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe
"C:\Users\Admin\AppData\Local\Temp\30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\30296a1aab16dd65d0c66e283833c31b1c77151507ef7201580c35a64b49995c.exe"
  2⤵
  PID:1964

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3592-130-0x00000000026F0000-0x000000000276B000-memory.dmp

Filesize
492KB

Download
memory/3592-132-0x0000000002770000-0x0000000002913000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing