parallax | c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d

General

Target

parallaxhuge.exe
Size

3.9MB
MD5

40256ea622aa1d0678f5bde48b9aa0fb
SHA1

ba9dc2820ff412f06ca986dd03af1880d5a60f41
SHA256

c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
SHA512

04f9be55aeb88ff4f11b786f10e1bbcfa5cc1cf0b54f56d2d68fe067b0ada592f6aac93148cfbfe23916bbbe581669befebc4e95630f8c3e76303bc8e69ff450
SSDEEP

6144:DYh6ApoWrujS9yeoh6VVK7xvYTMxgUHgufnKiXybpsb:0h6ApVruja5oh2K755KUH5nNXylS

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 9 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/2484-136-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-137-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-138-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-139-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-140-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-141-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-142-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-143-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat
behavioral2/memory/2484-146-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milk.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milk.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe
1984	parallaxhuge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 2484	1984	parallaxhuge.exe	86
PID 1984 wrote to memory of 388	1984	parallaxhuge.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:388
- C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe
  "C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
    "C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe"
    3⤵
    PID:2484

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-147-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1984-144-0x0000000002710000-0x00000000028B3000-memory.dmp

Filesize
1.6MB

Download
memory/1984-151-0x0000000002580000-0x00000000025FB000-memory.dmp

Filesize
492KB

Download
memory/1984-150-0x00000000033C0000-0x0000000003689000-memory.dmp

Filesize
2.8MB

Download
memory/1984-149-0x0000000003300000-0x00000000033BE000-memory.dmp

Filesize
760KB

Download
memory/1984-133-0x0000000002580000-0x00000000025FB000-memory.dmp

Filesize
492KB

Download
memory/1984-148-0x00000000029C0000-0x0000000002AB0000-memory.dmp

Filesize
960KB

Download
memory/2484-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-145-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2484-146-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2484-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing