Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-02-2021 13:29
Static task
static1
Behavioral task
behavioral1
Sample
Protogent.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Protogent.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Protogent.exe
-
Size
1.9MB
-
MD5
5431a710d8a0c6bc319125ea7c40efd1
-
SHA1
ae52c3ea465ced7137948a7be6630231affb94a0
-
SHA256
1c10a7cf57b58de1cb5d0a6e1369a2cf5dd74fc1593c45b991dde7605ff01486
-
SHA512
80910c4f85f680877cf59a5ceaea703a459636dd9e473febff1d35c3c0dc5405099ce604b0a9b98847b78b0b7b550b007fdb19a2ed7ab08f9587fdb30724d727
Score
10/10
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/792-7-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Blocklisted process makes network request 99 IoCs
flow pid Process 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe 11 792 rundll32.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Protogent.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Protogent.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe 3636 Protogent.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76 PID 3636 wrote to memory of 792 3636 Protogent.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\Protogent.exe"C:\Users\Admin\AppData\Local\Temp\Protogent.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\Protogent.exe"2⤵
- Blocklisted process makes network request
PID:792
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:3568