parallax | 4ab16b326be00b6647ab0253f498dc286d6881b993cb5f95284c2db101b92c75

General

Target

fd1cef5cc1c58376c44c193b72163ec4.exe
Size

3.4MB
MD5

fd1cef5cc1c58376c44c193b72163ec4
SHA1

a0d0a16dc003b101667e643a9958a8d71e71ac18
SHA256

4ab16b326be00b6647ab0253f498dc286d6881b993cb5f95284c2db101b92c75
SHA512

c5092a433e1681172757cfc387efa22bb9a54be6da1bd75deeb47ace0d147c020aa98d6400b6bf7ad5a99638a7f9638787b5b262ee31423a3d2a58c9559e958c
SSDEEP

24576:wqoti2coq8PhxEY/Syhf9wv8eWrkDVJpL3ynmsSCLlBwSSMJ13t7uWVOT44Iw4Ml:Ct7PBn9Nl2SSZWQ4Mk5+3KTUhn

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 22 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1332-4-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-8-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-9-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-11-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-26-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-25-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-24-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-23-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-22-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-21-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-20-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-19-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-18-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-17-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-16-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-15-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-14-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-13-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-12-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-35-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-39-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1332-43-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CricketHelp.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CricketHelp.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1200	4192	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe
4192	fd1cef5cc1c58376c44c193b72163ec4.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 1332	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	93
PID 4192 wrote to memory of 3488	4192	fd1cef5cc1c58376c44c193b72163ec4.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe
  "C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe
    "C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1064
    3⤵
    - Program crash
    PID:1200

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4192 -ip 4192
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-7-0x0000000077C12000-0x0000000077C13000-memory.dmp

Filesize
4KB

Download
memory/1332-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1332-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1332-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4192-28-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4192-27-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/4192-30-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/4192-34-0x00000000023D0000-0x000000000244B000-memory.dmp

Filesize
492KB

Download
memory/4192-33-0x0000000003250000-0x0000000003519000-memory.dmp

Filesize
2.8MB

Download
memory/4192-32-0x0000000003190000-0x000000000324E000-memory.dmp

Filesize
760KB

Download
memory/4192-31-0x0000000002770000-0x0000000002860000-memory.dmp

Filesize
960KB

Download
memory/4192-29-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/4192-1-0x0000000077C12000-0x0000000077C13000-memory.dmp

Filesize
4KB

Download
memory/4192-0-0x00000000023D0000-0x000000000244B000-memory.dmp

Filesize
492KB

Download
memory/4192-5-0x00000000024C0000-0x0000000002663000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing