parallax | efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1

Analysis

max time kernel
70s
max time network
148s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
Size

10.1MB
MD5

a65903fca5089fb8959cd9ea6c96da3b
SHA1

0937bbe1199fdca67cad8836e0b3b109aead8fb6
SHA256

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SHA512

5522fed40404d9eebadf550daaa7461c49bd0f95e397cf4c6564d993306877259bd32c2ee1ee234a2e5210ee52bbc0aea8248c2f1556e77b321ebd93348f9dcd

Score

10^/10

parallax rat suricata upx

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral2/memory/1736-198-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

30 1736 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpwinhlp.exe

pid process

3960 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
440 winhlp.exe

flow	pid	process
30	1736	cmd.exe

pid	process
3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
440	winhlp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\winhlp.exe	upx
C:\Users\Admin\AppData\Roaming\winhlp.exe	upx

Loads dropped DLL 8 IoCs

Processes:

winhlp.exe

pid process

440 winhlp.exe
440 winhlp.exe
440 winhlp.exe
440 winhlp.exe
440 winhlp.exe
440 winhlp.exe
440 winhlp.exe
440 winhlp.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\winhlp.job cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

winhlp.exedllhost.exe

pid process

440 winhlp.exe
1156 dllhost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dllhost.exe

pid process

1156 dllhost.exe

pid	process
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe
440	winhlp.exe

description	ioc	process
File created	C:\Windows\Tasks\winhlp.job	cmd.exe

pid	process
440	winhlp.exe
1156	dllhost.exe

pid	process
1156	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exeefeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpwinhlp.exe

description	pid	process	target process
PID 3364 wrote to memory of 3960	3364	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 3364 wrote to memory of 3960	3364	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 3364 wrote to memory of 3960	3364	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 3960 wrote to memory of 440	3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	winhlp.exe
PID 3960 wrote to memory of 440	3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	winhlp.exe
PID 3960 wrote to memory of 440	3960	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	winhlp.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe
PID 440 wrote to memory of 1156	440	winhlp.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
"C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp" /SL5="$30112,9529176,831488,C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Roaming\winhlp.exe
"C:\Users\Admin\AppData\Roaming\winhlp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\system32\dllhost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
MD5
dd0edfde096c5acb72a52588d55a5617

SHA1
56ccbba8010cdbea9c5d195c5c5ad232a18f840b

SHA256
d4eb8f8f03146518a7d6c008f9c761270fb4b2e232bc339919a4b8c933873131

SHA512
fe410229548d7562343eb6170312d66bf98f59cc15084b008416f6fe6d38b44cbaef889de7608f9d8098c23bc46de7194783f275e6d2f80d9a1e94e166167363

Download Submit
C:\Users\Admin\AppData\Roaming\BORLNDMM.DLL
MD5
d329682a25bb2433bc05d170b8e3e9b0

SHA1
76e3a2004e5ba7f5126fac9922336f38e928d733

SHA256
b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

SHA512
432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

Download Submit
C:\Users\Admin\AppData\Roaming\CC32220MT.DLL
MD5
cfc08b3fd01b4e96517ee75a67a59e88

SHA1
d9cb08009aa04b316486a51a38a47d59a837cbc5

SHA256
4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

SHA512
26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

Download Submit
C:\Users\Admin\AppData\Roaming\MSIMG32.dll
MD5
f956f88f284182978001f09a49381155

SHA1
41555a08de90bb0acbddfd69f61eafc07b94b759

SHA256
a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d

SHA512
96a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed

Download Submit
C:\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
C:\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
C:\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
\Users\Admin\AppData\Roaming\MSIMG32.dll
MD5
f956f88f284182978001f09a49381155

SHA1
41555a08de90bb0acbddfd69f61eafc07b94b759

SHA256
a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d

SHA512
96a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed

Download Submit
\Users\Admin\AppData\Roaming\MSIMG32.dll
MD5
f956f88f284182978001f09a49381155

SHA1
41555a08de90bb0acbddfd69f61eafc07b94b759

SHA256
a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d

SHA512
96a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed

Download Submit
\Users\Admin\AppData\Roaming\borlndmm.dll
MD5
d329682a25bb2433bc05d170b8e3e9b0

SHA1
76e3a2004e5ba7f5126fac9922336f38e928d733

SHA256
b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

SHA512
432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

Download Submit
\Users\Admin\AppData\Roaming\cc32220mt.dll
MD5
cfc08b3fd01b4e96517ee75a67a59e88

SHA1
d9cb08009aa04b316486a51a38a47d59a837cbc5

SHA256
4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

SHA512
26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

Download Submit
\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
memory/440-121-0x0000000000000000-mapping.dmp

Download
memory/440-126-0x0000000000F91000-0x0000000000F94000-memory.dmp

Filesize
12KB

Download
memory/1156-158-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1156-159-0x00007FFF31420000-0x00007FFF315FB000-memory.dmp

Filesize
1.9MB

Download
memory/1156-136-0x0000000000000000-mapping.dmp

Download
memory/1156-137-0x0000000077579000-0x000000007757A000-memory.dmp

Filesize
4KB

Download
memory/1156-141-0x0000000000860000-0x0000000000862000-memory.dmp

Filesize
8KB

Download
memory/1736-166-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1736-164-0x0000000000000000-mapping.dmp

Download
memory/1736-168-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1736-171-0x0000000003240000-0x0000000003249000-memory.dmp

Filesize
36KB

Download
memory/1736-172-0x00007FFF31420000-0x00007FFF315FB000-memory.dmp

Filesize
1.9MB

Download
memory/1736-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3364-119-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3960-117-0x0000000000000000-mapping.dmp

Download
memory/3960-120-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download