parallax | efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1

Analysis

max time kernel
70s
max time network
148s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
Size

10.1MB
MD5

a65903fca5089fb8959cd9ea6c96da3b
SHA1

0937bbe1199fdca67cad8836e0b3b109aead8fb6
SHA256

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SHA512

5522fed40404d9eebadf550daaa7461c49bd0f95e397cf4c6564d993306877259bd32c2ee1ee234a2e5210ee52bbc0aea8248c2f1556e77b321ebd93348f9dcd

Score

10^/10

parallax rat suricata upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1736-198-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata

Blocklisted process makes network request 1 IoCs

flow	pid	Process
30	1736	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
440	winhlp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000500000001aba9-122.dat	upx
behavioral2/files/0x000500000001aba9-197.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\winhlp.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
440	winhlp.exe
1156	dllhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1156	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3960	3364	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	68
PID 3364 wrote to memory of 3960	3364	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	68
PID 3364 wrote to memory of 3960	3364	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	68
PID 3960 wrote to memory of 440	3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	69
PID 3960 wrote to memory of 440	3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	69
PID 3960 wrote to memory of 440	3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	69
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70
PID 440 wrote to memory of 1156	440	winhlp.exe	70

C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
"C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp" /SL5="$30112,9529176,831488,C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Roaming\winhlp.exe
    "C:\Users\Admin\AppData\Roaming\winhlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        
        PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/440-126-0x0000000000F91000-0x0000000000F94000-memory.dmp

Filesize
12KB

Download
memory/1156-158-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1156-159-0x00007FFF31420000-0x00007FFF315FB000-memory.dmp

Filesize
1.9MB

Download
memory/1156-137-0x0000000077579000-0x000000007757A000-memory.dmp

Filesize
4KB

Download
memory/1156-141-0x0000000000860000-0x0000000000862000-memory.dmp

Filesize
8KB

Download
memory/1736-166-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1736-168-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1736-171-0x0000000003240000-0x0000000003249000-memory.dmp

Filesize
36KB

Download
memory/1736-172-0x00007FFF31420000-0x00007FFF315FB000-memory.dmp

Filesize
1.9MB

Download
memory/1736-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3364-119-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3960-120-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download