Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-03-2023 10:56

General

  • Target

    parallaxhuge.exe

  • Size

    3.9MB

  • MD5

    40256ea622aa1d0678f5bde48b9aa0fb

  • SHA1

    ba9dc2820ff412f06ca986dd03af1880d5a60f41

  • SHA256

    c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d

  • SHA512

    04f9be55aeb88ff4f11b786f10e1bbcfa5cc1cf0b54f56d2d68fe067b0ada592f6aac93148cfbfe23916bbbe581669befebc4e95630f8c3e76303bc8e69ff450

  • SSDEEP

    6144:DYh6ApoWrujS9yeoh6VVK7xvYTMxgUHgufnKiXybpsb:0h6ApVruja5oh2K755KUH5nNXylS

Score
10/10

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 9 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:388
    • C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe
      "C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
        "C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe"
        3⤵
          PID:2484
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
      1⤵
      • Drops startup file
      PID:5000

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/388-147-0x0000000001060000-0x0000000001061000-memory.dmp

      Filesize

      4KB

    • memory/1984-144-0x0000000002710000-0x00000000028B3000-memory.dmp

      Filesize

      1.6MB

    • memory/1984-151-0x0000000002580000-0x00000000025FB000-memory.dmp

      Filesize

      492KB

    • memory/1984-150-0x00000000033C0000-0x0000000003689000-memory.dmp

      Filesize

      2.8MB

    • memory/1984-149-0x0000000003300000-0x00000000033BE000-memory.dmp

      Filesize

      760KB

    • memory/1984-133-0x0000000002580000-0x00000000025FB000-memory.dmp

      Filesize

      492KB

    • memory/1984-148-0x00000000029C0000-0x0000000002AB0000-memory.dmp

      Filesize

      960KB

    • memory/2484-139-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-143-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-142-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-145-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

    • memory/2484-146-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-141-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-140-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-138-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-137-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/2484-136-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB