parallax | 33d9519d65da8386ae91a80fe584137ff1df6d0120f15ee665846d005b0d92ba

Resubmissions

21-02-2023 10:43

230221-mr8kmagd3x 10

21-02-2023 10:16

230221-ma4kcagc5z 10

Analysis

max time kernel
95s
max time network
99s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

116KB
MD5

c06bae41558e6f75843cb5efd3109526
SHA1

358711f6526ada2c90cc17f036298672c88c97cf
SHA256

33d9519d65da8386ae91a80fe584137ff1df6d0120f15ee665846d005b0d92ba
SHA512

cc79158e66f510f50ae3f3cbeee6d347057420c7e11af79f0f5d2bafa4bd4482f932ed66fea2cff2db8c94a3711d85b51fc8c028e2bdfddd1646a1c6593216c5
SSDEEP

3072:3O5r2flhPLgTzGqrebmBQE7meFv3Jv00zR:3O5fzGo5u4pz

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 2 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1048-54-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral1/memory/1048-57-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat

Deletes itself 1 IoCs

pid	Process
1060	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1060	1048	test.exe	27
PID 1048 wrote to memory of 1060	1048	test.exe	27
PID 1048 wrote to memory of 1060	1048	test.exe	27
PID 1048 wrote to memory of 1060	1048	test.exe	27

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UN.vbs"
  2⤵
  - Deletes itself
  PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UN.vbs

Filesize
624B

MD5
906219c77e02413defe891fbd98e0d91

SHA1
7ffad09149fdb957996b1c8d97b7c72d4e861c01

SHA256
86578d5154be1ff430b07086a009fcfca2f54f6aff3248f3a34bdb89871f63d6

SHA512
e21042b2de023596f92f5ed7bf0ffe534afba34e0da90223b83be0d74d0f81356f06011f4c02cf4165992c288a27bfa8bdb745089f0ada9922aa22031a211d51

Download Submit
memory/1048-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download