parallax | 7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5

Analysis

max time kernel
77s
max time network
183s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
Size

7.1MB
MD5

0956923f0ae4416c739e14fc03e8c866
SHA1

a8c2b3b618c51afa15425cdc6f9e5f7befa68e6a
SHA256

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
SHA512

9715a323a432e9bd7d44067da14c0f3f923452a5782e6b2007fe87d89d7317df9901eacac6dedbe25223fed958291cd1b12c294be4093f13360adb2c1da8f5a2

Score

10^/10

parallax rat upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/904-99-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Executes dropped EXE 2 IoCs

pid	Process
1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
468	winhlp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000012677-63.dat	upx
behavioral1/files/0x0005000000012677-65.dat	upx
behavioral1/files/0x0005000000012677-98.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
468	winhlp.exe
468	winhlp.exe
468	winhlp.exe
468	winhlp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\winhlp.job	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
468	winhlp.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe
932	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	27
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	27
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	27
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	27
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	27
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	27
PID 1212 wrote to memory of 1720	1212	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	27
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	28
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	28
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	28
PID 1720 wrote to memory of 468	1720	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	28
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 468 wrote to memory of 932	468	winhlp.exe	29
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1764	932	dllhost.exe	34
PID 932 wrote to memory of 1136	932	dllhost.exe	35
PID 932 wrote to memory of 1136	932	dllhost.exe	35
PID 932 wrote to memory of 1136	932	dllhost.exe	35
PID 932 wrote to memory of 1136	932	dllhost.exe	35
PID 932 wrote to memory of 1136	932	dllhost.exe	35

C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
"C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\is-5PFSV.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5PFSV.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp" /SL5="$40118,6387055,831488,C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Roaming\winhlp.exe
    "C:\Users\Admin\AppData\Roaming\winhlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:692
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:512
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        Drops file in Windows directory
        
        PID:904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/904-91-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/904-92-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/932-78-0x0000000001C40000-0x0000000001C48000-memory.dmp

Filesize
32KB

Download
memory/932-77-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/932-79-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/1212-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1212-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1720-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download