parallax | dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb

Analysis

max time kernel
112s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
27-07-2021 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe
Size

5.8MB
MD5

1b890e13edc227f3605e8725fa62c4c3
SHA1

65979c3b01a41b7b5939d7808d3791350b65e6fa
SHA256

dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb
SHA512

a2f1b53c8d0d9a02aa31ade6cc3ade106af65ff92f9b6fe4286692ea65367cfb0991087fc6919fc346bf3d486ae1c9edd7f9d4d426c21b2a6913024ab5c45966

Score

10^/10

parallax rat suricata upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1376-196-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	1376	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1448	dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp
2168	UtorrentV4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000001ab6f-120.dat	upx
behavioral2/files/0x000100000001ab6f-195.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
2168	UtorrentV4.exe
2168	UtorrentV4.exe
2168	UtorrentV4.exe
2168	UtorrentV4.exe
2168	UtorrentV4.exe
2168	UtorrentV4.exe
2168	UtorrentV4.exe
2168	UtorrentV4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\UtorrentV4.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2168	UtorrentV4.exe
1576	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1576	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1448	1968	dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe	75
PID 1968 wrote to memory of 1448	1968	dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe	75
PID 1968 wrote to memory of 1448	1968	dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe	75
PID 1448 wrote to memory of 2168	1448	dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp	76
PID 1448 wrote to memory of 2168	1448	dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp	76
PID 1448 wrote to memory of 2168	1448	dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp	76
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81
PID 2168 wrote to memory of 1576	2168	UtorrentV4.exe	81

C:\Users\Admin\AppData\Local\Temp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe
"C:\Users\Admin\AppData\Local\Temp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\is-2NK4K.tmp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2NK4K.tmp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp" /SL5="$201D0,5202326,999936,C:\Users\Admin\AppData\Local\Temp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Roaming\UtorrentV4.exe
    "C:\Users\Admin\AppData\Roaming\UtorrentV4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        
        PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1376-175-0x00007FFC24031000-0x00007FFC2413E7A3-memory.dmp

Filesize
1.1MB

Download
memory/1376-169-0x00007FFC24030000-0x00007FFC2420B000-memory.dmp

Filesize
1.9MB

Download
memory/1376-170-0x0000000002FE0000-0x0000000002FE9000-memory.dmp

Filesize
36KB

Download
memory/1448-118-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1576-139-0x0000000003140000-0x0000000003142000-memory.dmp

Filesize
8KB

Download
memory/1576-157-0x00007FFC24030000-0x00007FFC2420B000-memory.dmp

Filesize
1.9MB

Download
memory/1576-156-0x00000000036D0000-0x00000000036D8000-memory.dmp

Filesize
32KB

Download
memory/1576-135-0x0000000077359000-0x0000000077359005-memory.dmp

Filesize
5B

Download
memory/1968-117-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2168-124-0x0000000000E81000-0x0000000000E85000-memory.dmp

Filesize
16KB

Download