parallax | ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b

Analysis

Target

ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe
Size

3.4MB
MD5

67e5b0d33aa3e8e3a88fc6281b7ffd6a
SHA1

7fd03b78bad33ef23c2ae255188385c4ac071ae7
SHA256

ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b
SHA512

c3f1cda6c59583ebf0b991b066904866cbc68f08aedc8a5c5aa04d08d408d514a22080abb658bca732a10c0fe49cb0cedebfe57125671b479d9c25266ac303a0

Score

10^/10

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1424-4-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe
644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe
644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe
644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1424	644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe	78
PID 644 wrote to memory of 1424	644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe	78
PID 644 wrote to memory of 1424	644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe	78
PID 644 wrote to memory of 1424	644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe	78
PID 644 wrote to memory of 1424	644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe	78
PID 644 wrote to memory of 1424	644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe	78
PID 644 wrote to memory of 1424	644	ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe	78

C:\Users\Admin\AppData\Local\Temp\ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe
"C:\Users\Admin\AppData\Local\Temp\ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1424

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1424-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1424-3-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download