parallax | 1aa55dd42cd313b484eb75a4b5be092bb85e03a87492c41d826f6f694da6c7d8

Analysis

max time kernel
1794s
max time network
1797s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
15/03/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

servercry.exe
Size

3.1MB
MD5

2d329dbfe6241b54920c60b62ebac68b
SHA1

6949cd11434102e727a8d7b90366b2f8e3bc0294
SHA256

1aa55dd42cd313b484eb75a4b5be092bb85e03a87492c41d826f6f694da6c7d8
SHA512

2a00f009d8273dd9bb90c3b6a4fc6a584a1094cb7ea0b2716a5523bdd10c60c31174ced87522b17521ef8faef73b5cc2311e499e03cbdc382a2034c5b8529af8
SSDEEP

49152:Ixm7FAEjpcMiuFOWaMXjZSK7C6jMrqITCYLVpoMeWTCULvufO2RrNJlXoC:VFAEjpcMXMrq0fLVpoMaCvu9RrTlXo

Score

10^/10

parallax persistence rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 36 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/4104-5-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-8-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-9-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-11-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-10-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-13-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-14-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-15-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-18-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-16-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-19-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-20-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-21-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-22-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-23-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-24-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/4104-25-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/2876-28-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-29-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/4104-30-0x0000000003600000-0x000000000362C000-memory.dmp	parallax_rat
behavioral1/memory/2876-47-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-46-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-50-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-52-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-53-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-54-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-56-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-55-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-57-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-58-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-59-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-60-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-61-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-62-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-63-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral1/memory/2876-69-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tsecure.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tsecure.exe	DllHost.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	TRX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Trend = "C:\\Users\\Admin\\AppData\\Roaming\\TrendMicro\\TRX.exe"	TRX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
4104	servercry.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe
2876	TRX.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4104	servercry.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2876	TRX.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2876	4104	servercry.exe	81
PID 4104 wrote to memory of 2876	4104	servercry.exe	81
PID 4104 wrote to memory of 2876	4104	servercry.exe	81

C:\Users\Admin\AppData\Local\Temp\servercry.exe
"C:\Users\Admin\AppData\Local\Temp\servercry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Roaming\TrendMicro\TRX.exe
  "C:\Users\Admin\AppData\Roaming\TrendMicro\TRX.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: SetClipboardViewer
  PID:2876

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TrendMicro\TRX.exe

Filesize
3.1MB

MD5
2d329dbfe6241b54920c60b62ebac68b

SHA1
6949cd11434102e727a8d7b90366b2f8e3bc0294

SHA256
1aa55dd42cd313b484eb75a4b5be092bb85e03a87492c41d826f6f694da6c7d8

SHA512
2a00f009d8273dd9bb90c3b6a4fc6a584a1094cb7ea0b2716a5523bdd10c60c31174ced87522b17521ef8faef73b5cc2311e499e03cbdc382a2034c5b8529af8

Download Submit
memory/2876-59-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-57-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-64-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/2876-69-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-63-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-62-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-12-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2876-61-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-60-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-55-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-66-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2876-58-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-28-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-17-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2876-56-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-54-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-53-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-52-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-50-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-46-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-47-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/2876-29-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/4104-14-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-25-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-30-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-24-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-48-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/4104-23-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-22-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-21-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-51-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/4104-20-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-19-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-16-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-18-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-15-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-0-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/4104-13-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-10-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-11-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-9-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-8-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-5-0x0000000003600000-0x000000000362C000-memory.dmp

Filesize
176KB

Download
memory/4104-2-0x0000000077174000-0x0000000077175000-memory.dmp

Filesize
4KB

Download
memory/4104-1-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download