parallax | 66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c

Analysis

max time kernel
113s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
27-07-2021 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.exe
Size

6.9MB
MD5

c6807985e9ac7a2d65b15728934c0a86
SHA1

5d9a604584a5052d5bb7b277be339a1debeaaf59
SHA256

66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c
SHA512

007069f54c3f9ae76056581ded22fe1cb870ca711e2e9b1204fb9584c7918a9dc974b1491614da668a5b45b8463f9994075c525255a72744a03f953dde7b51ac

Score

10^/10

parallax rat suricata upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1216-194-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	1216	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1736	66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.tmp
2596	UtorrentV4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000001ab80-120.dat	upx
behavioral2/files/0x000100000001ab80-193.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
2596	UtorrentV4.exe
2596	UtorrentV4.exe
2596	UtorrentV4.exe
2596	UtorrentV4.exe
2596	UtorrentV4.exe
2596	UtorrentV4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\UtorrentV4.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	UtorrentV4.exe
3564	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3564	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 1736	3980	66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.exe	75
PID 3980 wrote to memory of 1736	3980	66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.exe	75
PID 3980 wrote to memory of 1736	3980	66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.exe	75
PID 1736 wrote to memory of 2596	1736	66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.tmp	77
PID 1736 wrote to memory of 2596	1736	66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.tmp	77
PID 1736 wrote to memory of 2596	1736	66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.tmp	77
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81
PID 2596 wrote to memory of 3564	2596	UtorrentV4.exe	81

C:\Users\Admin\AppData\Local\Temp\66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Local\Temp\is-D3FCP.tmp\66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D3FCP.tmp\66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.tmp" /SL5="$201C8,6337497,999936,C:\Users\Admin\AppData\Local\Temp\66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c.bin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\UtorrentV4.exe
    "C:\Users\Admin\AppData\Roaming\UtorrentV4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3564
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        
        PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-194-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1216-173-0x00007FFF4DF91000-0x00007FFF4E09E7A3-memory.dmp

Filesize
1.1MB

Download
memory/1216-168-0x00007FFF4DF90000-0x00007FFF4E16B000-memory.dmp

Filesize
1.9MB

Download
memory/1216-167-0x0000000000D70000-0x0000000000D79000-memory.dmp

Filesize
36KB

Download
memory/1736-118-0x00000000007A0000-0x000000000084E000-memory.dmp

Filesize
696KB

Download
memory/2596-124-0x0000000000F51000-0x0000000000F55000-memory.dmp

Filesize
16KB

Download
memory/3564-155-0x00007FFF4DF90000-0x00007FFF4E16B000-memory.dmp

Filesize
1.9MB

Download
memory/3564-154-0x0000000004BD0000-0x0000000004BD8000-memory.dmp

Filesize
32KB

Download
memory/3564-141-0x0000000002CD0000-0x0000000002CD2000-memory.dmp

Filesize
8KB

Download
memory/3564-133-0x0000000076FE9000-0x0000000076FE9005-memory.dmp

Filesize
5B

Download
memory/3980-115-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download