Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2023 10:56
Static task
static1
Behavioral task
behavioral1
Sample
parallaxhuge.exe
Resource
win7-20230220-en
windows7-x64
9 signatures
150 seconds
General
-
Target
parallaxhuge.exe
-
Size
3.9MB
-
MD5
40256ea622aa1d0678f5bde48b9aa0fb
-
SHA1
ba9dc2820ff412f06ca986dd03af1880d5a60f41
-
SHA256
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
-
SHA512
04f9be55aeb88ff4f11b786f10e1bbcfa5cc1cf0b54f56d2d68fe067b0ada592f6aac93148cfbfe23916bbbe581669befebc4e95630f8c3e76303bc8e69ff450
-
SSDEEP
6144:DYh6ApoWrujS9yeoh6VVK7xvYTMxgUHgufnKiXybpsb:0h6ApVruja5oh2K755KUH5nNXylS
Malware Config
Signatures
-
ParallaxRat payload 9 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/2484-136-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-137-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-138-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-139-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-140-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-141-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-142-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-143-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat behavioral2/memory/2484-146-0x0000000000400000-0x0000000000426000-memory.dmp parallax_rat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milk.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milk.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe 1984 parallaxhuge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 388 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 2484 1984 parallaxhuge.exe 86 PID 1984 wrote to memory of 388 1984 parallaxhuge.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:388 -
C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe"C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\parallaxhuge.exe"3⤵PID:2484
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:5000