parallax | 517af63bf54611b1ae3707b905aa9263c3e139dc576acc53ee1cf34e75c3ac7a

Analysis

Target

pulsed.exe
Size

5.5MB
MD5

3fd3937bfe06d1fe40144907d8fe1463
SHA1

1d6617ffc465f67674bcdab3bce4440abce5d7f6
SHA256

517af63bf54611b1ae3707b905aa9263c3e139dc576acc53ee1cf34e75c3ac7a
SHA512

ca666c6ffebb7d09e549d6430838e814b3716cedadd0b511018da0d301581ae889da947c91e4fa2212561a979ef4d926e3c0d8e22a4c12ed58b7410346c392de

Score

10^/10

parallax rat

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/2020-60-0x0000000000400000-0x0000000000426000-memory.dmp	parallax_rat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pulsed.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28
PID 1808 wrote to memory of 2020	1808	pulsed.exe	28

C:\Users\Admin\AppData\Local\Temp\pulsed.exe
"C:\Users\Admin\AppData\Local\Temp\pulsed.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\pulsed.exe"
  2⤵
  PID:2020

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1948

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1808-55-0x0000000000290000-0x000000000030B000-memory.dmp

Filesize
492KB

Download
memory/1808-58-0x0000000002350000-0x00000000024D0000-memory.dmp

Filesize
1.5MB

Download
memory/2020-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download