parallax | 7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5

Analysis

max time kernel
77s
max time network
183s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
Size

7.1MB
MD5

0956923f0ae4416c739e14fc03e8c866
SHA1

a8c2b3b618c51afa15425cdc6f9e5f7befa68e6a
SHA256

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
SHA512

9715a323a432e9bd7d44067da14c0f3f923452a5782e6b2007fe87d89d7317df9901eacac6dedbe25223fed958291cd1b12c294be4093f13360adb2c1da8f5a2

Score

10^/10

parallax rat upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral1/memory/904-99-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Executes dropped EXE 2 IoCs

Processes:

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmpwinhlp.exe

pid process

1720 7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
468 winhlp.exe

pid	process
1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
468	winhlp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\winhlp.exe	upx
C:\Users\Admin\AppData\Roaming\winhlp.exe	upx
C:\Users\Admin\AppData\Roaming\winhlp.exe	upx

Loads dropped DLL 6 IoCs

Processes:

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmpwinhlp.exe

pid	process
1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
468	winhlp.exe
468	winhlp.exe
468	winhlp.exe
468	winhlp.exe

Drops file in Windows directory 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Windows\Tasks\winhlp.job notepad.exe

description	ioc	process
File created	C:\Windows\Tasks\winhlp.job	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

winhlp.exedllhost.exe

pid	process
468	winhlp.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe

Suspicious behavior: MapViewOfSection 11 IoCs

Processes:

dllhost.exe

pid	process
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmpwinhlp.exedllhost.exe

description	pid	process	target process
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	winhlp.exe
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	winhlp.exe
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	winhlp.exe
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	winhlp.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 468 wrote to memory of 932	468	winhlp.exe	dllhost.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1764	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1136	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1136	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1136	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1136	932	dllhost.exe	cmd.exe
PID 932 wrote to memory of 1136	932	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
"C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\is-5PFSV.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5PFSV.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp" /SL5="$40118,6387055,831488,C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Roaming\winhlp.exe
"C:\Users\Admin\AppData\Roaming\winhlp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\system32\dllhost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:2036

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:692

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:2020

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:512

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:1916

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:1736

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
- Drops file in Windows directory
PID:904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5PFSV.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
MD5
7fc45182667dfce2ae187002f7f6cf90

SHA1
214e2672ae1082dd699244f68999761c07ed906c

SHA256
30098bbeac856f031f26c3fbcc43e579cde33bbde476b798f060987782cd21f3

SHA512
a4244d01a942cca4f023684069907f8cb88b2a733de0cfca965e5f9072fc8a1d0501754814801e764d38c85bd734f6d48a0ca3383f4be0a4789e339bad1647ae

Download Submit
C:\Users\Admin\AppData\Roaming\BORLNDMM.DLL
MD5
d329682a25bb2433bc05d170b8e3e9b0

SHA1
76e3a2004e5ba7f5126fac9922336f38e928d733

SHA256
b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

SHA512
432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

Download Submit
C:\Users\Admin\AppData\Roaming\CC32220MT.DLL
MD5
cfc08b3fd01b4e96517ee75a67a59e88

SHA1
d9cb08009aa04b316486a51a38a47d59a837cbc5

SHA256
4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

SHA512
26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

Download Submit
C:\Users\Admin\AppData\Roaming\MSIMG32.dll
MD5
69f8065a283ffc7516eb3b716b7635f9

SHA1
c9b5ce38ff96533900da4b5c7173bd3a07bbde90

SHA256
6a63e9a5615fe995d09574f1d935299a0eef32da31d0d0d41988c77216b916ca

SHA512
68a1c54d410e2528432e3069fe5a1bf11e01a95005875616e9642412d3dafd97eb41dbb9df1ca2056f672cdb859ce055f877df012416f019bf3b541c7588bef2

Download Submit
C:\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
C:\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
C:\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
\Users\Admin\AppData\Local\Temp\is-5PFSV.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
MD5
7fc45182667dfce2ae187002f7f6cf90

SHA1
214e2672ae1082dd699244f68999761c07ed906c

SHA256
30098bbeac856f031f26c3fbcc43e579cde33bbde476b798f060987782cd21f3

SHA512
a4244d01a942cca4f023684069907f8cb88b2a733de0cfca965e5f9072fc8a1d0501754814801e764d38c85bd734f6d48a0ca3383f4be0a4789e339bad1647ae

Download Submit
\Users\Admin\AppData\Roaming\MSIMG32.dll
MD5
69f8065a283ffc7516eb3b716b7635f9

SHA1
c9b5ce38ff96533900da4b5c7173bd3a07bbde90

SHA256
6a63e9a5615fe995d09574f1d935299a0eef32da31d0d0d41988c77216b916ca

SHA512
68a1c54d410e2528432e3069fe5a1bf11e01a95005875616e9642412d3dafd97eb41dbb9df1ca2056f672cdb859ce055f877df012416f019bf3b541c7588bef2

Download Submit
\Users\Admin\AppData\Roaming\borlndmm.dll
MD5
d329682a25bb2433bc05d170b8e3e9b0

SHA1
76e3a2004e5ba7f5126fac9922336f38e928d733

SHA256
b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

SHA512
432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

Download Submit
\Users\Admin\AppData\Roaming\cc32220mt.dll
MD5
cfc08b3fd01b4e96517ee75a67a59e88

SHA1
d9cb08009aa04b316486a51a38a47d59a837cbc5

SHA256
4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

SHA512
26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

Download Submit
\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
memory/468-64-0x0000000000000000-mapping.dmp

Download
memory/904-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/904-91-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/904-92-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/904-90-0x0000000000000000-mapping.dmp

Download
memory/932-78-0x0000000001C40000-0x0000000001C48000-memory.dmp

Filesize
32KB

Download
memory/932-77-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/932-79-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/932-75-0x0000000000000000-mapping.dmp

Download
memory/1212-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1212-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1720-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-58-0x0000000000000000-mapping.dmp

Download