Analysis
-
max time kernel
94s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
pulsed.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
pulsed.exe
-
Size
5.5MB
-
MD5
3fd3937bfe06d1fe40144907d8fe1463
-
SHA1
1d6617ffc465f67674bcdab3bce4440abce5d7f6
-
SHA256
517af63bf54611b1ae3707b905aa9263c3e139dc576acc53ee1cf34e75c3ac7a
-
SHA512
ca666c6ffebb7d09e549d6430838e814b3716cedadd0b511018da0d301581ae889da947c91e4fa2212561a979ef4d926e3c0d8e22a4c12ed58b7410346c392de
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/1412-135-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pulsed.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pulsed.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe 4056 pulsed.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4056 wrote to memory of 3492 4056 pulsed.exe 85 PID 4056 wrote to memory of 3492 4056 pulsed.exe 85 PID 4056 wrote to memory of 3492 4056 pulsed.exe 85 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86 PID 4056 wrote to memory of 1412 4056 pulsed.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\pulsed.exe"C:\Users\Admin\AppData\Local\Temp\pulsed.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\pulsed.exe"2⤵PID:3492
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\pulsed.exe"2⤵PID:1412
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:4976