Overview

overview

10

Static

static

dd2b6e5b02...in.exe

windows7_x64

8

dd2b6e5b02...in.exe

windows10_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe

  • Size

    5.8MB

  • MD5

    1b890e13edc227f3605e8725fa62c4c3

  • SHA1

    65979c3b01a41b7b5939d7808d3791350b65e6fa

  • SHA256

    dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb

  • SHA512

    a2f1b53c8d0d9a02aa31ade6cc3ade106af65ff92f9b6fe4286692ea65367cfb0991087fc6919fc346bf3d486ae1c9edd7f9d4d426c21b2a6913024ab5c45966

Score
10/10
parallaxratsuricataupx

Malware Config

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • ParallaxRat payload 1 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • suricata: ET MALWARE Parallax CnC Response Activity M14
    suricata
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\is-2NK4K.tmp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2NK4K.tmp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp" /SL5="$201D0,5202326,999936,C:\Users\Admin\AppData\Local\Temp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Users\Admin\AppData\Roaming\UtorrentV4.exe
        "C:\Users\Admin\AppData\Roaming\UtorrentV4.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\system32\notepad.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:1576
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            5⤵
            • Blocklisted process makes network request
            • Drops file in Windows directory
            PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-2NK4K.tmp\dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin.tmp
    MD5

    a1a17d158af58d4a2ff724fdb6231bf1

    SHA1

    38345deb7968ca59615c2e9a0677ba2f468d0f72

    SHA256

    fcf5f6ec4de5b314f53e4ad79afa31a8461428459060ac5e17ef132b54a7aa10

    SHA512

    756317041f1d73648e2891caec6ed6486a935cfe856d9c306becb18ff5929e19854776403f7d11814ba7963c8d61f0ac1bb9ba3acf68955176e62949c1a04814

    Download Submit
  • C:\Users\Admin\AppData\Roaming\BORLNDMM.DLL
    MD5

    d329682a25bb2433bc05d170b8e3e9b0

    SHA1

    76e3a2004e5ba7f5126fac9922336f38e928d733

    SHA256

    b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

    SHA512

    432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\CC32220MT.DLL
    MD5

    cfc08b3fd01b4e96517ee75a67a59e88

    SHA1

    d9cb08009aa04b316486a51a38a47d59a837cbc5

    SHA256

    4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

    SHA512

    26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\MSIMG32.dll
    MD5

    1e3a67f928e0574e6fa8993df4c1c8a7

    SHA1

    7898e2537c3882382c77c1393ad7fe547ab7357c

    SHA256

    73f6956daf7e02aade628921d1faba2189ce98053afeb397b45548549eeda822

    SHA512

    fc8b2d79156b829cfe778aab5ee648b8521f69e518327f8b5e6ca6b42d380c59e97d275ddf2eb54f56978cc183624ba267805e35413fce60a0732d3febe4a591

    Download Submit
  • C:\Users\Admin\AppData\Roaming\UtorrentV4.exe
    MD5

    4939d280485bdc0ac67b49012bdcec08

    SHA1

    fc7d1d37b82e126d999ac8a6c5c9343363925fe6

    SHA256

    30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

    SHA512

    6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

    Download Submit
  • C:\Users\Admin\AppData\Roaming\UtorrentV4.exe
    MD5

    4939d280485bdc0ac67b49012bdcec08

    SHA1

    fc7d1d37b82e126d999ac8a6c5c9343363925fe6

    SHA256

    30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

    SHA512

    6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

    Download Submit
  • C:\Users\Admin\AppData\Roaming\rtl220.bpl
    MD5

    654f94911b454928dc60e6640d511e2a

    SHA1

    be83ffc9fdacb4fd5ee5168454a83e341ea65d61

    SHA256

    0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

    SHA512

    fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

    Download Submit
  • \Users\Admin\AppData\Roaming\MSIMG32.dll
    MD5

    1e3a67f928e0574e6fa8993df4c1c8a7

    SHA1

    7898e2537c3882382c77c1393ad7fe547ab7357c

    SHA256

    73f6956daf7e02aade628921d1faba2189ce98053afeb397b45548549eeda822

    SHA512

    fc8b2d79156b829cfe778aab5ee648b8521f69e518327f8b5e6ca6b42d380c59e97d275ddf2eb54f56978cc183624ba267805e35413fce60a0732d3febe4a591

    Download Submit
  • \Users\Admin\AppData\Roaming\MSIMG32.dll
    MD5

    1e3a67f928e0574e6fa8993df4c1c8a7

    SHA1

    7898e2537c3882382c77c1393ad7fe547ab7357c

    SHA256

    73f6956daf7e02aade628921d1faba2189ce98053afeb397b45548549eeda822

    SHA512

    fc8b2d79156b829cfe778aab5ee648b8521f69e518327f8b5e6ca6b42d380c59e97d275ddf2eb54f56978cc183624ba267805e35413fce60a0732d3febe4a591

    Download Submit
  • \Users\Admin\AppData\Roaming\borlndmm.dll
    MD5

    d329682a25bb2433bc05d170b8e3e9b0

    SHA1

    76e3a2004e5ba7f5126fac9922336f38e928d733

    SHA256

    b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

    SHA512

    432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

    Download Submit
  • \Users\Admin\AppData\Roaming\cc32220mt.dll
    MD5

    cfc08b3fd01b4e96517ee75a67a59e88

    SHA1

    d9cb08009aa04b316486a51a38a47d59a837cbc5

    SHA256

    4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

    SHA512

    26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

    Download Submit
  • \Users\Admin\AppData\Roaming\rtl220.bpl
    MD5

    654f94911b454928dc60e6640d511e2a

    SHA1

    be83ffc9fdacb4fd5ee5168454a83e341ea65d61

    SHA256

    0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

    SHA512

    fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

    Download Submit
  • \Users\Admin\AppData\Roaming\rtl220.bpl
    MD5

    654f94911b454928dc60e6640d511e2a

    SHA1

    be83ffc9fdacb4fd5ee5168454a83e341ea65d61

    SHA256

    0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

    SHA512

    fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

    Download Submit
  • \Users\Admin\AppData\Roaming\rtl220.bpl
    MD5

    654f94911b454928dc60e6640d511e2a

    SHA1

    be83ffc9fdacb4fd5ee5168454a83e341ea65d61

    SHA256

    0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

    SHA512

    fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

    Download Submit
  • \Users\Admin\AppData\Roaming\rtl220.bpl
    MD5

    654f94911b454928dc60e6640d511e2a

    SHA1

    be83ffc9fdacb4fd5ee5168454a83e341ea65d61

    SHA256

    0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

    SHA512

    fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

    Download Submit
  • memory/1376-162-0x0000000000000000-mapping.dmp
    Download
  • memory/1376-196-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1376-175-0x00007FFC24031000-0x00007FFC2413E7A3-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1376-169-0x00007FFC24030000-0x00007FFC2420B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1376-170-0x0000000002FE0000-0x0000000002FE9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1448-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1448-118-0x00000000009B0000-0x00000000009B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1576-139-0x0000000003140000-0x0000000003142000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1576-157-0x00007FFC24030000-0x00007FFC2420B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1576-156-0x00000000036D0000-0x00000000036D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1576-135-0x0000000077359000-0x0000000077359005-memory.dmp
    Filesize

    5B

    Download
  • memory/1576-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1968-117-0x0000000000400000-0x0000000000501000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2168-119-0x0000000000000000-mapping.dmp
    Download
  • memory/2168-124-0x0000000000E81000-0x0000000000E85000-memory.dmp
    Filesize

    16KB

    Download