parallax | c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7

Analysis

Target

c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe
Size

3.3MB
MD5

1b99a6a9c0905e6d87ead147a5ca11ce
SHA1

abff2d68a4ffa3a60b89a62e5aed2e9251c864c8
SHA256

c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7
SHA512

3ec41b43e4eed9d02b49228ca6470fc8038c033a7ae4d8b4197ef9807872de1d99fa9e486d5397edb140b05ae529c772d080c284f77ab43be644751d30440472

Score

10^/10

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/628-6-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe
1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29
PID 1732 wrote to memory of 628	1732	c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe	29

C:\Users\Admin\AppData\Local\Temp\c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe
"C:\Users\Admin\AppData\Local\Temp\c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:628

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/628-5-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/628-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1732-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download