parallax | cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe
Size

350KB
MD5

0042ed673ace6ada1be98d420fd4b20d
SHA1

ddb1c86576679bebeeacccbb5bd0abd3f3700b7a
SHA256

cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb
SHA512

5beac2451ab5f589989c50dafb0efff8221b4cd96929652acb9ae442b8f685eb493e3cc2a5eadc491de4eb9a160a1cc84b4e73d718e5632675fa3546be1a7f4d

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 2 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1660-80-0x0000000000400000-0x0000000000429000-memory.dmp	parallax_rat
behavioral1/memory/1660-81-0x0000000000400000-0x0000000000429000-memory.dmp	parallax_rat

Blocklisted process makes network request 46 IoCs

flow	pid	Process
3	1660	cmd.exe
5	1660	cmd.exe
7	1660	cmd.exe
9	1660	cmd.exe
11	1660	cmd.exe
13	1660	cmd.exe
15	1660	cmd.exe
17	1660	cmd.exe
19	1660	cmd.exe
21	1660	cmd.exe
23	1660	cmd.exe
25	1660	cmd.exe
27	1660	cmd.exe
29	1660	cmd.exe
31	1660	cmd.exe
33	1660	cmd.exe
35	1660	cmd.exe
37	1660	cmd.exe
39	1660	cmd.exe
41	1660	cmd.exe
43	1660	cmd.exe
45	1660	cmd.exe
47	1660	cmd.exe
49	1660	cmd.exe
51	1660	cmd.exe
53	1660	cmd.exe
55	1660	cmd.exe
57	1660	cmd.exe
59	1660	cmd.exe
61	1660	cmd.exe
63	1660	cmd.exe
65	1660	cmd.exe
67	1660	cmd.exe
69	1660	cmd.exe
71	1660	cmd.exe
73	1660	cmd.exe
75	1660	cmd.exe
77	1660	cmd.exe
79	1660	cmd.exe
81	1660	cmd.exe
83	1660	cmd.exe
85	1660	cmd.exe
87	1660	cmd.exe
89	1660	cmd.exe
91	1660	cmd.exe
93	1660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	guessing.exe

Loads dropped DLL 3 IoCs

pid	Process
2024	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe
2024	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe
1992	guessing.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\completedir\	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	guessing.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1992	guessing.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1992	guessing.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1992	2024	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe	27
PID 2024 wrote to memory of 1992	2024	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe	27
PID 2024 wrote to memory of 1992	2024	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe	27
PID 2024 wrote to memory of 1992	2024	cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe	27
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28
PID 1992 wrote to memory of 1660	1992	guessing.exe	28

C:\Users\Admin\AppData\Local\Temp\cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe
"C:\Users\Admin\AppData\Local\Temp\cd41b2a08b3b38cd8ce7a2420a635bd1d1780bce12218f93ee6f2366a19e2aeb.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\guessing.exe
  C:\Users\Admin\AppData\Local\Temp\guessing.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Builtin

Filesize
163KB

MD5
261c683eb0fba130299bf273ad91b975

SHA1
49c25a2d2b335d5eb700e8d3e4fc43aa8ceeaa4c

SHA256
a0f9bef2c730a376cb50bdbea423f7de3b647f45ef003d52cf7620e695d08e75

SHA512
f0bdc17cd8055ff39e587476d6719cd77dae1a63b005be25b0492dfa89f00777c679a3f7065b3ea05716e1d2ac5933e349b279e8b3a493d19ca2a333a783edff

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeeveBandsman.DLL

Filesize
100KB

MD5
9d7c1c86f699f3299e0c99d19c74a9c5

SHA1
fd2516877080db1da99b0928659920652c153415

SHA256
e64593a325db15dfa270c34307811946f10871ea0351ce40c45235d295150535

SHA512
5db3d4cbd8e1101e81377e6d00e963af29821f4349ef3cbf877ab85afae1cea21a12674fa7d42fe922f146f8e51c9df915188496d0095d1c675653570eadae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\guessing.exe

Filesize
40KB

MD5
41a4bc59882726d6d5f492e5d4c9e0ba

SHA1
6da4ec61d8d63e177db748f711c047bebd86bdb9

SHA256
f03c91d1d1e6cf12570e38c277b9726715dbdaafed7ada1d3bbc086547616315

SHA512
0a666c4c0316bf788f5cacb2ebfcb50f65daf7843617afea58ae4134ff14061fb6e67247411ab9dc7133a824c6fabfbec6e6de4c94f21c8dbea83e3e10cb13de

Download Submit
\Users\Admin\AppData\Local\Temp\PeeveBandsman.dll

Filesize
100KB

MD5
9d7c1c86f699f3299e0c99d19c74a9c5

SHA1
fd2516877080db1da99b0928659920652c153415

SHA256
e64593a325db15dfa270c34307811946f10871ea0351ce40c45235d295150535

SHA512
5db3d4cbd8e1101e81377e6d00e963af29821f4349ef3cbf877ab85afae1cea21a12674fa7d42fe922f146f8e51c9df915188496d0095d1c675653570eadae85

Download Submit
\Users\Admin\AppData\Local\Temp\guessing.exe

Filesize
40KB

MD5
41a4bc59882726d6d5f492e5d4c9e0ba

SHA1
6da4ec61d8d63e177db748f711c047bebd86bdb9

SHA256
f03c91d1d1e6cf12570e38c277b9726715dbdaafed7ada1d3bbc086547616315

SHA512
0a666c4c0316bf788f5cacb2ebfcb50f65daf7843617afea58ae4134ff14061fb6e67247411ab9dc7133a824c6fabfbec6e6de4c94f21c8dbea83e3e10cb13de

Download Submit
\Users\Admin\AppData\Local\Temp\guessing.exe

Filesize
40KB

MD5
41a4bc59882726d6d5f492e5d4c9e0ba

SHA1
6da4ec61d8d63e177db748f711c047bebd86bdb9

SHA256
f03c91d1d1e6cf12570e38c277b9726715dbdaafed7ada1d3bbc086547616315

SHA512
0a666c4c0316bf788f5cacb2ebfcb50f65daf7843617afea58ae4134ff14061fb6e67247411ab9dc7133a824c6fabfbec6e6de4c94f21c8dbea83e3e10cb13de

Download Submit
memory/1660-73-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/1660-74-0x0000000076CE0000-0x0000000076E89000-memory.dmp

Filesize
1.7MB

Download
memory/1660-80-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-81-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-62-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/1992-68-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1992-70-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1992-71-0x0000000076CE0000-0x0000000076E89000-memory.dmp

Filesize
1.7MB

Download
memory/2024-54-0x0000000074E11000-0x0000000074E13000-memory.dmp

Filesize
8KB

Download