Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
parallax.exe.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
parallax.exe.dll
-
Size
37KB
-
MD5
4a7bed74f3cf9646b8417195b5e6f4c6
-
SHA1
5fad487e6e1beb22f20abb653343a0dca8c73b1d
-
SHA256
353960d78bf700a0b4a0ea1d41df188f0cc0a3c5a178b73ac64aca01ee3fdb4d
-
SHA512
349a8c5723e0aaf25d743490deea913e5da439394d135e7a9691ffc5618d4bdc3220f06def639a4d611f94c77729471fa6b8c6eac600ba2495db95a95784d8e4
Malware Config
Extracted
Family
systembc
C2
149.248.34.200:4001
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.exeflow pid process 4 1040 rundll32.exe 5 1040 rundll32.exe 8 1040 rundll32.exe 9 1040 rundll32.exe 10 1040 rundll32.exe 11 1040 rundll32.exe 12 1040 rundll32.exe 13 1040 rundll32.exe 14 1040 rundll32.exe 15 1040 rundll32.exe 16 1040 rundll32.exe 17 1040 rundll32.exe 18 1040 rundll32.exe 19 1040 rundll32.exe 20 1040 rundll32.exe 21 1040 rundll32.exe 22 1040 rundll32.exe 23 1040 rundll32.exe 24 1040 rundll32.exe 25 1040 rundll32.exe 26 1040 rundll32.exe 27 1040 rundll32.exe 28 1040 rundll32.exe 29 1040 rundll32.exe 30 1040 rundll32.exe 31 1040 rundll32.exe 32 1040 rundll32.exe 33 1040 rundll32.exe 34 1040 rundll32.exe 35 1040 rundll32.exe 36 1040 rundll32.exe 37 1040 rundll32.exe 38 1040 rundll32.exe 39 1040 rundll32.exe 40 1040 rundll32.exe 41 1040 rundll32.exe 42 1040 rundll32.exe 43 1040 rundll32.exe 44 1040 rundll32.exe 45 1040 rundll32.exe 46 1040 rundll32.exe 48 1040 rundll32.exe 49 1040 rundll32.exe 50 1040 rundll32.exe 51 1040 rundll32.exe 52 1040 rundll32.exe 53 1040 rundll32.exe 54 1040 rundll32.exe 55 1040 rundll32.exe 56 1040 rundll32.exe 57 1040 rundll32.exe 58 1040 rundll32.exe 59 1040 rundll32.exe 60 1040 rundll32.exe 61 1040 rundll32.exe 63 1040 rundll32.exe 64 1040 rundll32.exe 65 1040 rundll32.exe 66 1040 rundll32.exe 67 1040 rundll32.exe 68 1040 rundll32.exe 69 1040 rundll32.exe 70 1040 rundll32.exe 71 1040 rundll32.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 api.ipify.org 48 api.ipify.org 62 api.ipify.org 63 api.ipify.org 7 api.ipify.org 8 api.ipify.org 23 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 788 wrote to memory of 1040 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 1040 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 1040 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 1040 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 1040 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 1040 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 1040 788 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax.exe.dll,#12⤵
- Blocklisted process makes network request