parallax | hxxps://github[.]com/yuankong666/Ultimate-RAT-Collection/raw/main/ParallaxRat/Parallax%20v1[.]0[.]7[.]7z

Analysis

max time kernel
149s
max time network
153s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
07/02/2024, 05:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/yuankong666/Ultimate-RAT-Collection/raw/main/ParallaxRat/Parallax%20v1.0.7.7z

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 3 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/3436-130-0x00000000000F0000-0x0000000000DCA000-memory.dmp	parallax_rat
behavioral1/memory/3436-137-0x00000000000F0000-0x0000000000DCA000-memory.dmp	parallax_rat
behavioral1/memory/3436-140-0x00000000000F0000-0x0000000000DCA000-memory.dmp	parallax_rat

Executes dropped EXE 1 IoCs

pid	Process
3436	Parallax Launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000003c6ff6350e4183218ed7113c01f0f68fc41205b8826652693b37f3da1161a6af840f3c4635801d500eba816628274e42ea3a9d3a5db0808f0741af28	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{07F78B7C-6E0D-4B05-AB9E-EA4DC741CF = "8320"	browser_broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 71be221d8359da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{07F78B7C-6E0D-4B05-AB9E-EA4DC741CF = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000d95941b8359da010d95941b8359da01f6cc0b1c8359da013bdf62010000000001000000000000000000000000000000a70314001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800b0003100000000000000000010004d6963726f736f66742e4d6963726f736f6674456467655f3877656b796233643862627765007c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e004d006900630072006f0073006f006600740045006400670065005f003800770065006b00790062003300640038006200620077006500000034005c0031000000000000000000100054656d70537461746500440009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000540065006d00700053007400610074006500000018005c00310000000000000000001000446f776e6c6f61647300440009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000044006f0077006e006c006f0061006400730000001800700032003bdf620147588b282000504152414c4c7e312e375a00560009000400efbe47588a2847588a282e000000000000000000000000000000000000000000000000000ac2c60050006100720061006c006c00610078002000760031002e0030002e0037002e0037007a0000001a000000a80000001c000000010000001c0000003400000000000000a70000001800000003000000bc6f87b91000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e4d6963726f736f6674456467655f3877656b7962336438626277655c54656d7053746174655c446f776e6c6f6164735c506172616c6c61782076312e302e372e377a000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716e6776757a6f6d000000000000000048c30430fc476a438f0577fabcafcafacfbb5bb6349bee11810e428aa39c5a1048c30430fc476a438f0577fabcafcafacfbb5bb6349bee11810e428aa39c5a10d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003100390036003600360031003400310030002d0031003800380038003400340030003700390037002d0032003300300034003900360035003000310033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000003eb2bce8000000000000d01200000000000000000000000000000000	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5e62da178359da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{07F78B7C-6E0D-4B05-AB9E-EA4DC741CF	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{07F78B7C-6E0D-4B05-AB9E-EA4DC741CF = 1afff11c8359da01	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{FAC96D47-8D84-4DD0-B899-FF7B51542422} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "413444146"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 97bdce328359da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{07F78B7C-6E0D-4B05-AB9E-EA4DC741CF = "0"	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Parallax v1.0.7.7z.4vd2had.partial:Zone.Identifier	browser_broker.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO47BE21D7\Parallax Launcher.exe:Zone.Identifier	7zFM.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3436	Parallax Launcher.exe
3436	Parallax Launcher.exe
3436	Parallax Launcher.exe
3436	Parallax Launcher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	7zFM.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
760	MicrosoftEdgeCP.exe
760	MicrosoftEdgeCP.exe
760	MicrosoftEdgeCP.exe
760	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3332	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3332	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3332	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2644	MicrosoftEdge.exe
Token: SeDebugPrivilege	2644	MicrosoftEdge.exe
Token: SeRestorePrivilege	2932	7zFM.exe
Token: 35	2932	7zFM.exe
Token: SeDebugPrivilege	2140	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2140	MicrosoftEdgeCP.exe
Token: SeSecurityPrivilege	2932	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2932	7zFM.exe
2932	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2644	MicrosoftEdge.exe
760	MicrosoftEdgeCP.exe
3332	MicrosoftEdgeCP.exe
760	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2836	760	MicrosoftEdgeCP.exe	33
PID 760 wrote to memory of 2836	760	MicrosoftEdgeCP.exe	33
PID 760 wrote to memory of 2836	760	MicrosoftEdgeCP.exe	33
PID 760 wrote to memory of 1420	760	MicrosoftEdgeCP.exe	77
PID 760 wrote to memory of 1420	760	MicrosoftEdgeCP.exe	77
PID 760 wrote to memory of 1420	760	MicrosoftEdgeCP.exe	77
PID 2932 wrote to memory of 3436	2932	7zFM.exe	82
PID 2932 wrote to memory of 3436	2932	7zFM.exe	82
PID 2932 wrote to memory of 3436	2932	7zFM.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/yuankong666/Ultimate-RAT-Collection/raw/main/ParallaxRat/Parallax%20v1.0.7.7z"
1⤵
PID:812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1420

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Parallax v1.0.7.7z"
1⤵
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\7zO47BE21D7\Parallax Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO47BE21D7\Parallax Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W91E2TXQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\NIBIQVXF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Parallax v1.0.7.7z

Filesize
68KB

MD5
8fc562d36e7e7d57d2c2d0b7c6268887

SHA1
ae54a1e539c0b514d4a555eb93e49acdd0de080e

SHA256
c8caf8a7ea9778d0ff98b8fc76105b9bf9f6dd51d376e48292bbc06d92251f65

SHA512
7605bc4cf87825e28e7da1aa1a57910d5255cd400c0441da89317e961683e0772d074e69940488104654888db4fe5ba60f1b5b2d82d4dafea6dbe2fccd46ff99

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Parallax v1.0.7.7z

Filesize
90KB

MD5
694b26daaef2c99daf93c99a0c271116

SHA1
98505a911d67b2d4bc83d06b24e3d08ad0f2c4d1

SHA256
9c8ffd1c2ed8d889ef03da3c3a311d935ff2b6d607825c560c4f73b67e9c282a

SHA512
bccb763d70caf2b23364cbf27fea2fa49e4121b77ad331358f6f364605d90fa9eef7f4c4878646f6c608e59e5e9bca01cfec48a51614d9f5ac165041a9305850

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Parallax v1.0.7.7z.4vd2had.partial

Filesize
428KB

MD5
f4e2fc1c7aa7981a4cb666809f59ec17

SHA1
bc89fc6f3b3ab5b79c2c42586e0fd9e42d5ff45e

SHA256
a10a1706783f31fba576d327958d79693b957f7eef555c79398ea5ae8145dc7d

SHA512
455932f0fcd6e5a7c1ae8f09a5501e26e14128b8dec79daea00ad77ed2bc5cb2f724a9489cc1e3949ce84e283ecacedfb7d5c108ac67523c5cec430892e66af3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EAARFAI7\Parallax%20v1.0.7[1].7z

Filesize
441KB

MD5
c849521964426fd6a8987f684270797f

SHA1
92633f6d5920284c6fb879433388cfff560a361f

SHA256
021bdd16298971fb3b2b40c1badf88e0ff7663fc40f541a6ed2dc4ac2081c8f2

SHA512
a445274c05efa815b8cd6dda02594aebf57f625ff4581a6158a2066ade2a2158df8d1757a21e666731316fe0f2a48736d5d089e9589af647c88df6ae57ee15a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO47BE21D7\Parallax Launcher.exe

Filesize
1.9MB

MD5
9de5aeb5d17b1587761abc0d46eb5851

SHA1
91c00d583e7cfbbc4cb265ec7b5fcba181441842

SHA256
b2d9c966b140c8216a8e9f6300c28d36f70e1a93e24a7319a18f42e982588356

SHA512
d14447103ce5fda3c0d5187ebe0282015aff2d806a07e0db4a1d40e988b53730ad4bf1a6e715d44efeba0ac3878e2d8bcd285c304ab30a98248c677117dcc7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO47BE21D7\Parallax Launcher.exe

Filesize
2.4MB

MD5
b644085a31537f3fc3fb4ce615c54f36

SHA1
c24842beac193dc007c45376a1b096e71b8f491f

SHA256
e9756b60719855cafc3878e9f6f328b5904464093a9135389f802cfb14b1dcfd

SHA512
7c73f7cb6f3155576f454dbc4e4347d8f7388843ed2d83ac3bcda6ee241b425ece9eb931a1cd6f8139dab694b0b9e0b46f58b4c6bde4969aee8331bdf18ffd19

Download Submit
memory/2644-71-0x00000271F44D0000-0x00000271F44D1000-memory.dmp

Filesize
4KB

Download
memory/2644-0-0x00000271EDE20000-0x00000271EDE30000-memory.dmp

Filesize
64KB

Download
memory/2644-73-0x00000271F44E0000-0x00000271F44E1000-memory.dmp

Filesize
4KB

Download
memory/2644-35-0x00000271EE1A0000-0x00000271EE1A2000-memory.dmp

Filesize
8KB

Download
memory/2644-16-0x00000271EE700000-0x00000271EE710000-memory.dmp

Filesize
64KB

Download
memory/2836-70-0x0000017BB9340000-0x0000017BB9342000-memory.dmp

Filesize
8KB

Download
memory/2836-68-0x0000017BB9280000-0x0000017BB9282000-memory.dmp

Filesize
8KB

Download
memory/2836-65-0x0000017BB9250000-0x0000017BB9252000-memory.dmp

Filesize
8KB

Download
memory/3436-128-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/3436-129-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/3436-134-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3436-133-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3436-132-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/3436-131-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/3436-130-0x00000000000F0000-0x0000000000DCA000-memory.dmp

Filesize
12.9MB

Download
memory/3436-135-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/3436-137-0x00000000000F0000-0x0000000000DCA000-memory.dmp

Filesize
12.9MB

Download
memory/3436-140-0x00000000000F0000-0x0000000000DCA000-memory.dmp

Filesize
12.9MB

Download