parallax | 25278afd06741152d66e766f97fee1d91126fbb715fa4f860c28dda6ce10d58d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c38fc80c0bb5215c09ed3eece6622e0.exe
Size

3.5MB
MD5

5c38fc80c0bb5215c09ed3eece6622e0
SHA1

1a8441b7dee494b3ca9ec2e53ae19056f1b43802
SHA256

25278afd06741152d66e766f97fee1d91126fbb715fa4f860c28dda6ce10d58d
SHA512

c0c0b6fea3a41ea8497be4b11217fad1144d76f1db3a8c432d01b96043d173a87235cd722b05f08fed8a2735a6404d3856654cf2ef94ce39659629bbfd4243d6
SSDEEP

49152:X53B8SL+xExPDiS4J0T3h2cosQsKT9vl/KPD:74JoREsTC/gD

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 19 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/3720-18-0x0000000004940000-0x0000000004972000-memory.dmp	parallax_rat
behavioral2/memory/212-24-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-25-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-27-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-26-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-40-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-39-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-38-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-37-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-36-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-35-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-34-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-33-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-32-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-31-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-30-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-29-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-28-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/212-41-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\cccleaner.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5028	5c38fc80c0bb5215c09ed3eece6622e0.exe
3720	extrac32.exe
3720	extrac32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3720	extrac32.exe
3720	extrac32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5028	5c38fc80c0bb5215c09ed3eece6622e0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89
PID 5028 wrote to memory of 3720	5028	5c38fc80c0bb5215c09ed3eece6622e0.exe	89

C:\Users\Admin\AppData\Local\Temp\5c38fc80c0bb5215c09ed3eece6622e0.exe
"C:\Users\Admin\AppData\Local\Temp\5c38fc80c0bb5215c09ed3eece6622e0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\extrac32.exe
  "C:\Windows\system32\extrac32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Drops file in Windows directory
    PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-19-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/212-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3720-18-0x0000000004940000-0x0000000004972000-memory.dmp

Filesize
200KB

Download
memory/3720-2-0x0000000077784000-0x0000000077785000-memory.dmp

Filesize
4KB

Download
memory/3720-20-0x0000000004940000-0x0000000004972000-memory.dmp

Filesize
200KB

Download
memory/3720-17-0x0000000002E50000-0x0000000002E58000-memory.dmp

Filesize
32KB

Download
memory/3720-3-0x0000000000920000-0x0000000000922000-memory.dmp

Filesize
8KB

Download
memory/5028-4-0x0000000000400000-0x00000000007A6000-memory.dmp

Filesize
3.6MB

Download
memory/5028-0-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/5028-1-0x0000000004170000-0x000000000417A000-memory.dmp

Filesize
40KB

Download
memory/5028-13-0x0000000004170000-0x000000000417A000-memory.dmp

Filesize
40KB

Download
memory/5028-5-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download