parallax | 389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a

Analysis

max time kernel
101s
max time network
146s
platform
windows10_x64
resource
win10v20210408
submitted
25-08-2021 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe
Size

13.6MB
MD5

415c3aa31822921311e2f080b3814924
SHA1

796231aacfe6bf73ac73e95f1f061307f6c3ae68
SHA256

389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
SHA512

637b3feb21e3a4fc497faa5e762d843acb3c2e8688f98cc2f30aaf468d9ac10d62dcbc7736baedb43e677674728afea748dc35acaff1c554ac754e5c8a6eff6a

Score

10^/10

parallax rat upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1492-196-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	1492	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2136	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp
2056	UtorrentV4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000001ab4d-120.dat	upx
behavioral2/files/0x000100000001ab4d-195.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
2056	UtorrentV4.exe
2056	UtorrentV4.exe
2056	UtorrentV4.exe
2056	UtorrentV4.exe
2056	UtorrentV4.exe
2056	UtorrentV4.exe
2056	UtorrentV4.exe
2056	UtorrentV4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\UtorrentV4.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	UtorrentV4.exe
2788	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2788	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2136	3128	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	75
PID 3128 wrote to memory of 2136	3128	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	75
PID 3128 wrote to memory of 2136	3128	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe	75
PID 2136 wrote to memory of 2056	2136	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp	76
PID 2136 wrote to memory of 2056	2136	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp	76
PID 2136 wrote to memory of 2056	2136	389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp	76
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79
PID 2056 wrote to memory of 2788	2056	UtorrentV4.exe	79

C:\Users\Admin\AppData\Local\Temp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe
"C:\Users\Admin\AppData\Local\Temp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\is-S7BP4.tmp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S7BP4.tmp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.tmp" /SL5="$20112,13430622,831488,C:\Users\Admin\AppData\Local\Temp\389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Roaming\UtorrentV4.exe
    "C:\Users\Admin\AppData\Roaming\UtorrentV4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        
        PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1492-175-0x00007FFAB0C51000-0x00007FFAB0D5E7A3-memory.dmp

Filesize
1.1MB

Download
memory/1492-170-0x00007FFAB0C50000-0x00007FFAB0E2B000-memory.dmp

Filesize
1.9MB

Download
memory/1492-169-0x0000000003300000-0x0000000003309000-memory.dmp

Filesize
36KB

Download
memory/2056-124-0x0000000000F31000-0x0000000000F35000-memory.dmp

Filesize
16KB

Download
memory/2136-118-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2788-157-0x00007FFAB0C50000-0x00007FFAB0E2B000-memory.dmp

Filesize
1.9MB

Download
memory/2788-156-0x00000000033B0000-0x00000000033B8000-memory.dmp

Filesize
32KB

Download
memory/2788-143-0x0000000000D70000-0x0000000000D72000-memory.dmp

Filesize
8KB

Download
memory/2788-135-0x0000000077399000-0x0000000077399005-memory.dmp

Filesize
5B

Download
memory/3128-117-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download