parallax | 47d323fa25cbecde1f5e7b726ed33ad790872308c3a1bf9bd65037155792c11f

General

Target

R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
Size

2.6MB
MD5

240d2a26d3e54823a4c39f4b8f16cf92
SHA1

436e915e5a6287196fa345398c9b87263ce0dd11
SHA256

47d323fa25cbecde1f5e7b726ed33ad790872308c3a1bf9bd65037155792c11f
SHA512

dfde04b7bc42bdd4c98485a4c63b645692a5799b583e63ab77e6adde8f5fa82e4cd309cd6f936e9deb33e5c8b6031d328198ab3dc2e7d48d2347a89d47d0dac0
SSDEEP

49152:Eq3QscuJsVPCYc80pixEXY2QpvH8n6f9Giol08sVlHDGwxVW:E0nJsVPBcexz2QpvHqO9GioeHrI

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 5 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/2716-6-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2716-8-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2716-10-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2716-11-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2716-17-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leger.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2692	2716	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2144 wrote to memory of 2716	2144	R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe	29
PID 2716 wrote to memory of 2692	2716	pipanel.exe	30
PID 2716 wrote to memory of 2692	2716	pipanel.exe	30
PID 2716 wrote to memory of 2692	2716	pipanel.exe	30
PID 2716 wrote to memory of 2692	2716	pipanel.exe	30

C:\Users\Admin\AppData\Local\Temp\R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe
"C:\Users\Admin\AppData\Local\Temp\R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\R9Mj_iXL7N4fXntybtM615CHIwjDob_b1lA3FVeSwR8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 88
    3⤵
    - Program crash
    PID:2692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-0-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/2144-1-0x000000007709F000-0x00000000770A0000-memory.dmp

Filesize
4KB

Download
memory/2144-21-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/2716-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2716-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2716-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2716-6-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2716-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2716-16-0x000000007709F000-0x00000000770A0000-memory.dmp

Filesize
4KB

Download
memory/2716-20-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2716-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2716-15-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing