parallax | 725b94d66ecd5e1238401746bc89b063f4ffa5767995119d7bc23ab2ed827c03

Analysis

max time kernel
159s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
Size

2.3MB
MD5

e9f6a165d0e416dc8b7bd49465a3fa5c
SHA1

d06732939d2084d6db38d820079e840e00a6b4e6
SHA256

725b94d66ecd5e1238401746bc89b063f4ffa5767995119d7bc23ab2ed827c03
SHA512

8baa456ed97889252493663db848ea65f2cf956c81cf69096bfb0c2e76526afda0b73920e2794ad541f9f44773e4a339874b91f59a5dfc34eaa9bd2d1c7b93dd
SSDEEP

49152:8q3QscuJsVPCYc80pixEXY2QpvH8naf9Gion08x2sChdI:80nJsVPBcexz2QpvHqu9GioJ2sChdI

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 35 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/2700-4-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-5-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-6-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-7-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-8-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-9-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-10-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-12-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-11-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-13-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-14-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-15-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-16-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-17-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-19-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-20-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-18-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-23-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-32-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-33-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-34-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-35-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-36-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-37-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-38-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-40-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-41-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-42-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-43-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-44-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-45-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-46-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-47-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-48-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat
behavioral2/memory/2700-51-0x0000000003FB0000-0x0000000003FDC000-memory.dmp	parallax_rat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3508	2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe	99
PID 2700 wrote to memory of 3508	2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe	99
PID 2700 wrote to memory of 3508	2700	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe	99

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UN.vbs"
  2⤵
  PID:3508

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UN.vbs

Filesize
712B

MD5
e937c7d1daff25728ba66b4071a16af2

SHA1
4a1014c65a9ee65921ed9cb8b1b6a78357dcc998

SHA256
23cc7bc705001770f1a413bf44009601914c0b9d007091345d03e121136b0286

SHA512
5c60065caf0acaa8494de2018d1621af2f893fbbba3ee1886909a0ab1296c571e033a7d61ef346f482c56d12841fd7ff4bcf7c63b1ebf421953f5abdad847797

Download Submit
memory/2700-22-0x0000000003220000-0x00000000032A0000-memory.dmp

Filesize
512KB

Download
memory/2700-20-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-5-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-6-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-7-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-8-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-9-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-10-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-12-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-11-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-13-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-14-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-15-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-16-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-17-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-19-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-0-0x0000000003220000-0x00000000032A0000-memory.dmp

Filesize
512KB

Download
memory/2700-18-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-4-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-21-0x0000000003300000-0x00000000033F0000-memory.dmp

Filesize
960KB

Download
memory/2700-34-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-32-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-33-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-23-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-35-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-36-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-37-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-38-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-1-0x0000000077EA2000-0x0000000077EA3000-memory.dmp

Filesize
4KB

Download
memory/2700-40-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-41-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-42-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-43-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-44-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-45-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-46-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-47-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-48-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download
memory/2700-51-0x0000000003FB0000-0x0000000003FDC000-memory.dmp

Filesize
176KB

Download