parallax | 533cda19ddd4581250a297e0c7a899cc7c215f0e3bbfbefcfcdf443c6ad2aaf0

Analysis

max time kernel
129s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2023 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

angle.exe
Size

3.9MB
MD5

bbfd2735e39574dcfbc86322d870e811
SHA1

0f627fd2f71fd34425cd62007a8a4d276bff1435
SHA256

533cda19ddd4581250a297e0c7a899cc7c215f0e3bbfbefcfcdf443c6ad2aaf0
SHA512

49f209477423d9ad3b9a7744f6cd015e0c88a3ea2271f07274841c8d66ed8fc7edad03f3070343b1442e20d30cbc0be26fc90b303f123aaad90b378744a74d5a
SSDEEP

24576:bcqJge1JYGhCP3dbTb2XShCFVshuhBcomEl+11suoYx9liYtR+/K:EyXALoh+HZd

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 4 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/5064-142-0x0000000000400000-0x00000000007F0000-memory.dmp	parallax_rat
behavioral2/memory/5064-155-0x0000000000400000-0x00000000007F0000-memory.dmp	parallax_rat
behavioral2/memory/5064-167-0x0000000000400000-0x00000000007F0000-memory.dmp	parallax_rat
behavioral2/memory/5064-179-0x0000000000400000-0x00000000007F0000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WiFIDriver.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WiFIDriver.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe
5064	angle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3156	Explorer.EXE
3156	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3156	5064	angle.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3156
- C:\Users\Admin\AppData\Local\Temp\angle.exe
  "C:\Users\Admin\AppData\Local\Temp\angle.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5064

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:3556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3156-137-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/5064-141-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/5064-143-0x0000000002A40000-0x0000000002B30000-memory.dmp

Filesize
960KB

Download
memory/5064-138-0x0000000002790000-0x0000000002933000-memory.dmp

Filesize
1.6MB

Download
memory/5064-140-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/5064-139-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/5064-133-0x0000000000400000-0x00000000007F0000-memory.dmp

Filesize
3.9MB

Download
memory/5064-142-0x0000000000400000-0x00000000007F0000-memory.dmp

Filesize
3.9MB

Download
memory/5064-134-0x0000000002710000-0x000000000278B000-memory.dmp

Filesize
492KB

Download
memory/5064-144-0x00000000031F0000-0x00000000032AE000-memory.dmp

Filesize
760KB

Download
memory/5064-145-0x00000000032B0000-0x0000000003579000-memory.dmp

Filesize
2.8MB

Download
memory/5064-146-0x0000000002710000-0x000000000278B000-memory.dmp

Filesize
492KB

Download
memory/5064-155-0x0000000000400000-0x00000000007F0000-memory.dmp

Filesize
3.9MB

Download
memory/5064-167-0x0000000000400000-0x00000000007F0000-memory.dmp

Filesize
3.9MB

Download
memory/5064-179-0x0000000000400000-0x00000000007F0000-memory.dmp

Filesize
3.9MB

Download