parallax | 389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7v20210410
submitted
25-08-2021 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe
Size

13.6MB
MD5

415c3aa31822921311e2f080b3814924
SHA1

796231aacfe6bf73ac73e95f1f061307f6c3ae68
SHA256

389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
SHA512

637b3feb21e3a4fc497faa5e762d843acb3c2e8688f98cc2f30aaf468d9ac10d62dcbc7736baedb43e677674728afea748dc35acaff1c554ac754e5c8a6eff6a

Score

10^/10

parallax rat upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/316-92-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Executes dropped EXE 2 IoCs

pid	Process
1284	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp
1724	UtorrentV4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000013110-68.dat	upx
behavioral1/files/0x0003000000013110-70.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe
1284	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp
1724	UtorrentV4.exe
1724	UtorrentV4.exe
1724	UtorrentV4.exe
1724	UtorrentV4.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1724	UtorrentV4.exe
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe
1552	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1284	788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	26
PID 788 wrote to memory of 1284	788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	26
PID 788 wrote to memory of 1284	788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	26
PID 788 wrote to memory of 1284	788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	26
PID 788 wrote to memory of 1284	788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	26
PID 788 wrote to memory of 1284	788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	26
PID 788 wrote to memory of 1284	788	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	26
PID 1284 wrote to memory of 1724	1284	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp	28
PID 1284 wrote to memory of 1724	1284	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp	28
PID 1284 wrote to memory of 1724	1284	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp	28
PID 1284 wrote to memory of 1724	1284	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp	28
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1724 wrote to memory of 1552	1724	UtorrentV4.exe	31
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 652	1552	notepad.exe	34
PID 1552 wrote to memory of 1384	1552	notepad.exe	35
PID 1552 wrote to memory of 1384	1552	notepad.exe	35
PID 1552 wrote to memory of 1384	1552	notepad.exe	35
PID 1552 wrote to memory of 1384	1552	notepad.exe	35
PID 1552 wrote to memory of 1384	1552	notepad.exe	35

C:\Users\Admin\AppData\Local\Temp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe
"C:\Users\Admin\AppData\Local\Temp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\is-E5CEH.tmp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E5CEH.tmp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp" /SL5="$30018,13430622,831488,C:\Users\Admin\AppData\Local\Temp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Roaming\UtorrentV4.exe
    "C:\Users\Admin\AppData\Roaming\UtorrentV4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-92-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/316-88-0x0000000077691000-0x000000007779127A-memory.dmp

Filesize
1.0MB

Download
memory/316-87-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/316-86-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/788-66-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/788-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1284-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1552-82-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1552-83-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/1552-84-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download