parallax | 5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e

Analysis

Target

5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe
Size

3.2MB
MD5

235cf4eadffa7d35733b7d23ae9baf1b
SHA1

f24d2f1d22247e7c3aa292914255a8cd9bc3add0
SHA256

5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e
SHA512

7ce48e3923f93379b8c41959bf5c5ae8ad85ee7c100aa216dac3b798f3613a27dcb00da18ca81655c6af78afb4f863bc8fb5fe94ddf87f75d64e9efcf3aa21de

Score

10^/10

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/2028-4-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe
580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe
580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe
580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 2028	580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe	78
PID 580 wrote to memory of 2028	580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe	78
PID 580 wrote to memory of 2028	580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe	78
PID 580 wrote to memory of 2028	580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe	78
PID 580 wrote to memory of 2028	580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe	78
PID 580 wrote to memory of 2028	580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe	78
PID 580 wrote to memory of 2028	580	5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe	78

C:\Users\Admin\AppData\Local\Temp\5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe
"C:\Users\Admin\AppData\Local\Temp\5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2028

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2028-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-3-0x00000000032F0000-0x00000000032F2000-memory.dmp

Filesize
8KB

Download