Analysis
-
max time kernel
70s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 10:21
Static task
static1
Behavioral task
behavioral1
Sample
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
Resource
win7-en-20210920
General
-
Target
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
-
Size
10.1MB
-
MD5
a65903fca5089fb8959cd9ea6c96da3b
-
SHA1
0937bbe1199fdca67cad8836e0b3b109aead8fb6
-
SHA256
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
-
SHA512
5522fed40404d9eebadf550daaa7461c49bd0f95e397cf4c6564d993306877259bd32c2ee1ee234a2e5210ee52bbc0aea8248c2f1556e77b321ebd93348f9dcd
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
Processes:
resource yara_rule behavioral2/memory/1736-198-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
-
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 30 1736 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpwinhlp.exepid process 3960 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp 440 winhlp.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\winhlp.exe upx C:\Users\Admin\AppData\Roaming\winhlp.exe upx -
Loads dropped DLL 8 IoCs
Processes:
winhlp.exepid process 440 winhlp.exe 440 winhlp.exe 440 winhlp.exe 440 winhlp.exe 440 winhlp.exe 440 winhlp.exe 440 winhlp.exe 440 winhlp.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\winhlp.job cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winhlp.exedllhost.exepid process 440 winhlp.exe 1156 dllhost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dllhost.exepid process 1156 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exeefeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpwinhlp.exedescription pid process target process PID 3364 wrote to memory of 3960 3364 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp PID 3364 wrote to memory of 3960 3364 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp PID 3364 wrote to memory of 3960 3364 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp PID 3960 wrote to memory of 440 3960 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp winhlp.exe PID 3960 wrote to memory of 440 3960 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp winhlp.exe PID 3960 wrote to memory of 440 3960 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp winhlp.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe PID 440 wrote to memory of 1156 440 winhlp.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp"C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp" /SL5="$30112,9529176,831488,C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winhlp.exe"C:\Users\Admin\AppData\Roaming\winhlp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\system32\dllhost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-4KUJ3.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpMD5
dd0edfde096c5acb72a52588d55a5617
SHA156ccbba8010cdbea9c5d195c5c5ad232a18f840b
SHA256d4eb8f8f03146518a7d6c008f9c761270fb4b2e232bc339919a4b8c933873131
SHA512fe410229548d7562343eb6170312d66bf98f59cc15084b008416f6fe6d38b44cbaef889de7608f9d8098c23bc46de7194783f275e6d2f80d9a1e94e166167363
-
C:\Users\Admin\AppData\Roaming\BORLNDMM.DLLMD5
d329682a25bb2433bc05d170b8e3e9b0
SHA176e3a2004e5ba7f5126fac9922336f38e928d733
SHA256b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618
SHA512432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3
-
C:\Users\Admin\AppData\Roaming\CC32220MT.DLLMD5
cfc08b3fd01b4e96517ee75a67a59e88
SHA1d9cb08009aa04b316486a51a38a47d59a837cbc5
SHA2564c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba
SHA51226bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5
-
C:\Users\Admin\AppData\Roaming\MSIMG32.dllMD5
f956f88f284182978001f09a49381155
SHA141555a08de90bb0acbddfd69f61eafc07b94b759
SHA256a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d
SHA51296a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed
-
C:\Users\Admin\AppData\Roaming\rtl220.bplMD5
654f94911b454928dc60e6640d511e2a
SHA1be83ffc9fdacb4fd5ee5168454a83e341ea65d61
SHA2560082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f
SHA512fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6
-
C:\Users\Admin\AppData\Roaming\winhlp.exeMD5
4939d280485bdc0ac67b49012bdcec08
SHA1fc7d1d37b82e126d999ac8a6c5c9343363925fe6
SHA25630b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df
SHA5126a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868
-
C:\Users\Admin\AppData\Roaming\winhlp.exeMD5
4939d280485bdc0ac67b49012bdcec08
SHA1fc7d1d37b82e126d999ac8a6c5c9343363925fe6
SHA25630b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df
SHA5126a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868
-
\Users\Admin\AppData\Roaming\MSIMG32.dllMD5
f956f88f284182978001f09a49381155
SHA141555a08de90bb0acbddfd69f61eafc07b94b759
SHA256a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d
SHA51296a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed
-
\Users\Admin\AppData\Roaming\MSIMG32.dllMD5
f956f88f284182978001f09a49381155
SHA141555a08de90bb0acbddfd69f61eafc07b94b759
SHA256a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d
SHA51296a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed
-
\Users\Admin\AppData\Roaming\borlndmm.dllMD5
d329682a25bb2433bc05d170b8e3e9b0
SHA176e3a2004e5ba7f5126fac9922336f38e928d733
SHA256b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618
SHA512432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3
-
\Users\Admin\AppData\Roaming\cc32220mt.dllMD5
cfc08b3fd01b4e96517ee75a67a59e88
SHA1d9cb08009aa04b316486a51a38a47d59a837cbc5
SHA2564c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba
SHA51226bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5
-
\Users\Admin\AppData\Roaming\rtl220.bplMD5
654f94911b454928dc60e6640d511e2a
SHA1be83ffc9fdacb4fd5ee5168454a83e341ea65d61
SHA2560082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f
SHA512fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6
-
\Users\Admin\AppData\Roaming\rtl220.bplMD5
654f94911b454928dc60e6640d511e2a
SHA1be83ffc9fdacb4fd5ee5168454a83e341ea65d61
SHA2560082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f
SHA512fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6
-
\Users\Admin\AppData\Roaming\rtl220.bplMD5
654f94911b454928dc60e6640d511e2a
SHA1be83ffc9fdacb4fd5ee5168454a83e341ea65d61
SHA2560082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f
SHA512fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6
-
\Users\Admin\AppData\Roaming\rtl220.bplMD5
654f94911b454928dc60e6640d511e2a
SHA1be83ffc9fdacb4fd5ee5168454a83e341ea65d61
SHA2560082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f
SHA512fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6
-
memory/440-121-0x0000000000000000-mapping.dmp
-
memory/440-126-0x0000000000F91000-0x0000000000F94000-memory.dmpFilesize
12KB
-
memory/1156-158-0x0000000000B00000-0x0000000000B08000-memory.dmpFilesize
32KB
-
memory/1156-159-0x00007FFF31420000-0x00007FFF315FB000-memory.dmpFilesize
1.9MB
-
memory/1156-136-0x0000000000000000-mapping.dmp
-
memory/1156-137-0x0000000077579000-0x000000007757A000-memory.dmpFilesize
4KB
-
memory/1156-141-0x0000000000860000-0x0000000000862000-memory.dmpFilesize
8KB
-
memory/1736-166-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/1736-164-0x0000000000000000-mapping.dmp
-
memory/1736-168-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/1736-171-0x0000000003240000-0x0000000003249000-memory.dmpFilesize
36KB
-
memory/1736-172-0x00007FFF31420000-0x00007FFF315FB000-memory.dmpFilesize
1.9MB
-
memory/1736-198-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3364-119-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3960-117-0x0000000000000000-mapping.dmp
-
memory/3960-120-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB