Analysis
-
max time kernel
128s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
parallax.exe.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
parallax.exe.dll
-
Size
37KB
-
MD5
4a7bed74f3cf9646b8417195b5e6f4c6
-
SHA1
5fad487e6e1beb22f20abb653343a0dca8c73b1d
-
SHA256
353960d78bf700a0b4a0ea1d41df188f0cc0a3c5a178b73ac64aca01ee3fdb4d
-
SHA512
349a8c5723e0aaf25d743490deea913e5da439394d135e7a9691ffc5618d4bdc3220f06def639a4d611f94c77729471fa6b8c6eac600ba2495db95a95784d8e4
Malware Config
Extracted
Family
systembc
C2
149.248.34.200:4001
Signatures
-
Blocklisted process makes network request 58 IoCs
Processes:
rundll32.exeflow pid process 15 2332 rundll32.exe 16 2332 rundll32.exe 18 2332 rundll32.exe 19 2332 rundll32.exe 20 2332 rundll32.exe 21 2332 rundll32.exe 22 2332 rundll32.exe 23 2332 rundll32.exe 24 2332 rundll32.exe 25 2332 rundll32.exe 26 2332 rundll32.exe 27 2332 rundll32.exe 28 2332 rundll32.exe 29 2332 rundll32.exe 30 2332 rundll32.exe 31 2332 rundll32.exe 33 2332 rundll32.exe 34 2332 rundll32.exe 35 2332 rundll32.exe 36 2332 rundll32.exe 37 2332 rundll32.exe 38 2332 rundll32.exe 39 2332 rundll32.exe 40 2332 rundll32.exe 41 2332 rundll32.exe 42 2332 rundll32.exe 43 2332 rundll32.exe 44 2332 rundll32.exe 45 2332 rundll32.exe 46 2332 rundll32.exe 47 2332 rundll32.exe 49 2332 rundll32.exe 50 2332 rundll32.exe 51 2332 rundll32.exe 52 2332 rundll32.exe 53 2332 rundll32.exe 54 2332 rundll32.exe 55 2332 rundll32.exe 56 2332 rundll32.exe 57 2332 rundll32.exe 58 2332 rundll32.exe 59 2332 rundll32.exe 60 2332 rundll32.exe 61 2332 rundll32.exe 62 2332 rundll32.exe 63 2332 rundll32.exe 64 2332 rundll32.exe 65 2332 rundll32.exe 66 2332 rundll32.exe 67 2332 rundll32.exe 68 2332 rundll32.exe 69 2332 rundll32.exe 70 2332 rundll32.exe 71 2332 rundll32.exe 72 2332 rundll32.exe 73 2332 rundll32.exe 74 2332 rundll32.exe 75 2332 rundll32.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 api.ipify.org 18 api.ipify.org 32 api.ipify.org 33 api.ipify.org 48 api.ipify.org 49 api.ipify.org 64 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3968 wrote to memory of 2332 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2332 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2332 3968 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax.exe.dll,#12⤵
- Blocklisted process makes network request