parallax | 7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5

Analysis

max time kernel
120s
max time network
147s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
Size

7.1MB
MD5

0956923f0ae4416c739e14fc03e8c866
SHA1

a8c2b3b618c51afa15425cdc6f9e5f7befa68e6a
SHA256

7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
SHA512

9715a323a432e9bd7d44067da14c0f3f923452a5782e6b2007fe87d89d7317df9901eacac6dedbe25223fed958291cd1b12c294be4093f13360adb2c1da8f5a2

Score

10^/10

parallax rat upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1876-198-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	1876	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3688	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
508	winhlp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001abd3-122.dat	upx
behavioral2/files/0x000600000001abd3-197.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
508	winhlp.exe
508	winhlp.exe
508	winhlp.exe
508	winhlp.exe
508	winhlp.exe
508	winhlp.exe
508	winhlp.exe
508	winhlp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\winhlp.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
508	winhlp.exe
1128	dllhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1128	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3688	2176	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	70
PID 2176 wrote to memory of 3688	2176	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	70
PID 2176 wrote to memory of 3688	2176	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe	70
PID 3688 wrote to memory of 508	3688	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	71
PID 3688 wrote to memory of 508	3688	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	71
PID 3688 wrote to memory of 508	3688	7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp	71
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72
PID 508 wrote to memory of 1128	508	winhlp.exe	72

C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe
"C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\is-KAUTE.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KAUTE.tmp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.tmp" /SL5="$301C2,6387055,831488,C:\Users\Admin\AppData\Local\Temp\7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Users\Admin\AppData\Roaming\winhlp.exe
    "C:\Users\Admin\AppData\Roaming\winhlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        
        PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-126-0x0000000000F11000-0x0000000000F14000-memory.dmp

Filesize
12KB

Download
memory/1128-158-0x00000000042E0000-0x00000000042E8000-memory.dmp

Filesize
32KB

Download
memory/1128-159-0x00007FF9630E0000-0x00007FF9632BB000-memory.dmp

Filesize
1.9MB

Download
memory/1128-137-0x0000000077D89000-0x0000000077D8A000-memory.dmp

Filesize
4KB

Download
memory/1128-145-0x00000000028A0000-0x00000000028A2000-memory.dmp

Filesize
8KB

Download
memory/1876-166-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1876-168-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1876-171-0x0000000002F40000-0x0000000002F49000-memory.dmp

Filesize
36KB

Download
memory/1876-172-0x00007FF9630E0000-0x00007FF9632BB000-memory.dmp

Filesize
1.9MB

Download
memory/1876-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2176-117-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3688-120-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download