parallax | eaf13f18a618c5549e6e7bb31f5266696a479629eb4071a6c5e0a53875a6f23a

General

Target

1f28f2fc01466d9ffe441c4298c7f619.exe
Size

197KB
MD5

1f28f2fc01466d9ffe441c4298c7f619
SHA1

fb442db1800bc37869301d88f17c87721851faa9
SHA256

eaf13f18a618c5549e6e7bb31f5266696a479629eb4071a6c5e0a53875a6f23a
SHA512

7e9614ee134c2840c0c5281f823afee873940ce2c6dd6c28205c635a5af5200ed9e6fa4572c2975751e213c519ea16416776b943b3538ebf835bd1ee7e2c27bb
SSDEEP

6144:kDJO1gSkiLDQ7yfVhjTUDLjdPs4MDFR7r2ckixuCkUdXi:Cu47+5UvZq9yOXS

Score

10^/10

parallax persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	winlogon.exe

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 24 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/2808-32-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-29-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-40-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-26-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-41-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-23-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-20-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-48-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-52-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-57-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-56-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-55-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-54-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-53-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-51-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-50-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-49-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-47-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-46-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-45-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-44-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-43-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-42-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2808-58-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Executes dropped EXE 2 IoCs

pid	Process
2360	winlogon.exe
2808	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	1f28f2fc01466d9ffe441c4298c7f619.exe
2512	1f28f2fc01466d9ffe441c4298c7f619.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 2808	2360	winlogon.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2360	2512	1f28f2fc01466d9ffe441c4298c7f619.exe	29
PID 2512 wrote to memory of 2360	2512	1f28f2fc01466d9ffe441c4298c7f619.exe	29
PID 2512 wrote to memory of 2360	2512	1f28f2fc01466d9ffe441c4298c7f619.exe	29
PID 2512 wrote to memory of 2360	2512	1f28f2fc01466d9ffe441c4298c7f619.exe	29
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28
PID 2360 wrote to memory of 2808	2360	winlogon.exe	28

C:\Users\Admin\AppData\Local\Temp\1f28f2fc01466d9ffe441c4298c7f619.exe
"C:\Users\Admin\AppData\Local\Temp\1f28f2fc01466d9ffe441c4298c7f619.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2360

C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
1⤵
- Executes dropped EXE
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
197KB

MD5
1f28f2fc01466d9ffe441c4298c7f619

SHA1
fb442db1800bc37869301d88f17c87721851faa9

SHA256
eaf13f18a618c5549e6e7bb31f5266696a479629eb4071a6c5e0a53875a6f23a

SHA512
7e9614ee134c2840c0c5281f823afee873940ce2c6dd6c28205c635a5af5200ed9e6fa4572c2975751e213c519ea16416776b943b3538ebf835bd1ee7e2c27bb

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
150KB

MD5
54601eb9d5f336dd1c7bfc51299e14de

SHA1
48f1e801ac90b677b5d7e83e1671230bb21e99db

SHA256
9b19ccc6fb647e0ed5459efca340a78a672bdd4f5cc0e4acefc816d18fb30f17

SHA512
e5b7cafa72a4d3e2b36e8ee3997ca9c35bb9e9aae8bd72db265f468196772862736f58ab56d7753e9c6702b91dc64fbbf2cd64979978a7be28e0f3593b8d07b0

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
88KB

MD5
dcf1385f88f58f9b64cccb7fe05cdd87

SHA1
20a56167b37b9b1f63fca08fea7242c7fd630c64

SHA256
eb3092449323e6a23adaa6c693f7e240c2930a1eda1e263e3c05f62b68a9f7a5

SHA512
26d776404b3ed324ed57dda04aaa12ac5b657348683100d40060da8d0b7281f4b1103c70b417ebc2d36ca7e46b7bf6333f87ce7dc2ee8b3b46e539b46dfcd450

Download Submit
memory/2360-14-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-15-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-38-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-0-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-2-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2512-1-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-13-0x0000000074DB0000-0x000000007535B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads