parallax | 7220bd358f7a359fba4e076252af1c06eddf175463b32a03aa1d59b199c684de

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a35dda6735102f5aac7876c73f7863a.exe
Size

3.4MB
MD5

9a35dda6735102f5aac7876c73f7863a
SHA1

a3024cae3ab158800dbaa0f1de903ef12270cd83
SHA256

7220bd358f7a359fba4e076252af1c06eddf175463b32a03aa1d59b199c684de
SHA512

d02924c32a3abe9f411fa8247e36af462869618fb36df887c9426d0d21193117f6f91ed374aeeb9b3c6035b0a4c5542b47403355bd0e587d1a76431d522c7d8b
SSDEEP

49152:1wFa6xRMO/S5iS40B1sY4W3vsDPTEPFrHZIR9:8xqO44W3vsDGVHZE

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 20 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/4020-4-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-7-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-8-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-9-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-10-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-11-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-12-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-13-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-14-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-15-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-16-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-17-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-18-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-19-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-20-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-22-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-21-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/4020-23-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/1264-24-0x0000000002710000-0x000000000272B000-memory.dmp	parallax_rat
behavioral2/memory/4020-32-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
6	4020	rundll32.exe
15	4020	rundll32.exe
19	4020	rundll32.exe
21	4020	rundll32.exe
22	4020	rundll32.exe
23	4020	rundll32.exe
25	4020	rundll32.exe
29	4020	rundll32.exe
30	4020	rundll32.exe
31	4020	rundll32.exe
32	4020	rundll32.exe
33	4020	rundll32.exe
36	4020	rundll32.exe
41	4020	rundll32.exe
46	4020	rundll32.exe
47	4020	rundll32.exe
48	4020	rundll32.exe
49	4020	rundll32.exe
52	4020	rundll32.exe
59	4020	rundll32.exe
64	4020	rundll32.exe
66	4020	rundll32.exe
67	4020	rundll32.exe
68	4020	rundll32.exe
69	4020	rundll32.exe
70	4020	rundll32.exe
71	4020	rundll32.exe
74	4020	rundll32.exe
75	4020	rundll32.exe
76	4020	rundll32.exe
77	4020	rundll32.exe
78	4020	rundll32.exe
79	4020	rundll32.exe
80	4020	rundll32.exe
81	4020	rundll32.exe
82	4020	rundll32.exe
83	4020	rundll32.exe
84	4020	rundll32.exe
87	4020	rundll32.exe
89	4020	rundll32.exe
90	4020	rundll32.exe
93	4020	rundll32.exe
94	4020	rundll32.exe
95	4020	rundll32.exe
96	4020	rundll32.exe
97	4020	rundll32.exe
98	4020	rundll32.exe
99	4020	rundll32.exe
100	4020	rundll32.exe
101	4020	rundll32.exe
102	4020	rundll32.exe
103	4020	rundll32.exe
104	4020	rundll32.exe
105	4020	rundll32.exe
108	4020	rundll32.exe
112	4020	rundll32.exe
114	4020	rundll32.exe
115	4020	rundll32.exe
116	4020	rundll32.exe
117	4020	rundll32.exe
118	4020	rundll32.exe
119	4020	rundll32.exe
120	4020	rundll32.exe
121	4020	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4796	1264	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe
1264	9a35dda6735102f5aac7876c73f7863a.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 4020	1264	9a35dda6735102f5aac7876c73f7863a.exe	85
PID 1264 wrote to memory of 3596	1264	9a35dda6735102f5aac7876c73f7863a.exe	23

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\9a35dda6735102f5aac7876c73f7863a.exe
  "C:\Users\Admin\AppData\Local\Temp\9a35dda6735102f5aac7876c73f7863a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Users\Admin\AppData\Local\Temp\9a35dda6735102f5aac7876c73f7863a.exe"
    3⤵
    - Blocklisted process makes network request
    PID:4020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 560
    3⤵
    - Program crash
    PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1264 -ip 1264
1⤵
PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-0-0x0000000000850000-0x00000000008CB000-memory.dmp

Filesize
492KB

Download
memory/1264-1-0x0000000077522000-0x0000000077523000-memory.dmp

Filesize
4KB

Download
memory/1264-2-0x0000000002460000-0x0000000002603000-memory.dmp

Filesize
1.6MB

Download
memory/1264-31-0x0000000000850000-0x00000000008CB000-memory.dmp

Filesize
492KB

Download
memory/1264-30-0x0000000002B90000-0x0000000002E59000-memory.dmp

Filesize
2.8MB

Download
memory/1264-29-0x0000000002A90000-0x0000000002B4E000-memory.dmp

Filesize
760KB

Download
memory/1264-27-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/1264-24-0x0000000002710000-0x000000000272B000-memory.dmp

Filesize
108KB

Download
memory/1264-25-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1264-26-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/4020-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-6-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/4020-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4020-3-0x0000000077522000-0x0000000077523000-memory.dmp

Filesize
4KB

Download
memory/4020-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download