parallax | 33d9519d65da8386ae91a80fe584137ff1df6d0120f15ee665846d005b0d92ba

Resubmissions

21-02-2023 10:43

230221-mr8kmagd3x 10

21-02-2023 10:16

230221-ma4kcagc5z 10

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

116KB
MD5

c06bae41558e6f75843cb5efd3109526
SHA1

358711f6526ada2c90cc17f036298672c88c97cf
SHA256

33d9519d65da8386ae91a80fe584137ff1df6d0120f15ee665846d005b0d92ba
SHA512

cc79158e66f510f50ae3f3cbeee6d347057420c7e11af79f0f5d2bafa4bd4482f932ed66fea2cff2db8c94a3711d85b51fc8c028e2bdfddd1646a1c6593216c5
SSDEEP

3072:3O5r2flhPLgTzGqrebmBQE7meFv3Jv00zR:3O5fzGo5u4pz

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 3 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/2444-133-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2444-134-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2444-137-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	test.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2028	2444	test.exe	80
PID 2444 wrote to memory of 2028	2444	test.exe	80
PID 2444 wrote to memory of 2028	2444	test.exe	80

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UN.vbs"
  2⤵
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UN.vbs

Filesize
624B

MD5
21f9710d1bc41bf544ac982d8c18d2cf

SHA1
e427fe064e83700cb58e00ed2fd0bed2482e17d4

SHA256
8702da8047927cb9b4634d80625a0383679e85207b4a0b7060fe7bdb595013a3

SHA512
3b4222a36e4931a5bd5d45a17751520f66a55fff2b28a1792c13fdaa355139a99e657fcb4182477f2fc1dcff4be55e4c7cc330468338c47d14da2337fb711960

Download Submit
memory/2444-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2444-134-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2444-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download