parallax | 55de849673b3d780491bb00996943f1914de77692b1218e798821fe8c22ea55c

General

Target

Scan_Doc.xll
Size

2.5MB
MD5

ba04aac6f4c36a1593fa81ca60722454
SHA1

0ccd54e2ba3088ce59180a21eb7682f479572550
SHA256

55de849673b3d780491bb00996943f1914de77692b1218e798821fe8c22ea55c
SHA512

7ba50edd4530a9820da132d988f8934b096c33f2ace3e5aa0ec8595041f71aca676e354662840238d66496b3b7b01ba377444ccc3564589b6ffd32d587705be9
SSDEEP

49152:G8XR54rGnugTn7g+Zp5Ybl3Qgx8Abu1sG9lmx2bcrMrvHEP31Un:G8Xr4wTnE+Z0l7i1XpwrMDktU

Score

10^/10

parallax rat

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 23 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/2812-72-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-73-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-75-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-74-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-81-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-89-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-91-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-92-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-93-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-96-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-97-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-99-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-95-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-94-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-98-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-100-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-101-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-102-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-103-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-113-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-112-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-111-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral1/memory/2812-128-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exgssi.exe	DllHost.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	lum.exe

Loads dropped DLL 4 IoCs

pid	Process
1636	EXCEL.EXE
1636	EXCEL.EXE
1636	EXCEL.EXE
1636	EXCEL.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1636	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe
2300	lum.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1636	EXCEL.EXE
1636	EXCEL.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1636	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1636	EXCEL.EXE
1636	EXCEL.EXE
1636	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2300	1636	EXCEL.EXE	28
PID 1636 wrote to memory of 2300	1636	EXCEL.EXE	28
PID 1636 wrote to memory of 2300	1636	EXCEL.EXE	28
PID 1636 wrote to memory of 2300	1636	EXCEL.EXE	28
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30
PID 2300 wrote to memory of 2812	2300	lum.exe	30

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Scan_Doc.xll
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe
  C:\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
    C:\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe
    3⤵
    PID:2812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe

Filesize
2.4MB

MD5
f6637dd80c1bf55fdf7d31f1d857a155

SHA1
e7504efa854c5c6b8dc423d2fe5ace59b270b18b

SHA256
930ed2eef19f9a8fe45fc227cefc8d7369ef251c489b592d1f060f506d68bbba

SHA512
cc23934bc3ef8d886038e04ea7f0a7c4ceba9026183d2ab676e34a48c398309157af17b99f85c3341eb9d6f4b046c45ebf8bd44e392b99313f28b8fef996ed57

Download Submit
C:\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe

Filesize
2.4MB

MD5
f6637dd80c1bf55fdf7d31f1d857a155

SHA1
e7504efa854c5c6b8dc423d2fe5ace59b270b18b

SHA256
930ed2eef19f9a8fe45fc227cefc8d7369ef251c489b592d1f060f506d68bbba

SHA512
cc23934bc3ef8d886038e04ea7f0a7c4ceba9026183d2ab676e34a48c398309157af17b99f85c3341eb9d6f4b046c45ebf8bd44e392b99313f28b8fef996ed57

Download Submit
C:\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe

Filesize
2.4MB

MD5
f6637dd80c1bf55fdf7d31f1d857a155

SHA1
e7504efa854c5c6b8dc423d2fe5ace59b270b18b

SHA256
930ed2eef19f9a8fe45fc227cefc8d7369ef251c489b592d1f060f506d68bbba

SHA512
cc23934bc3ef8d886038e04ea7f0a7c4ceba9026183d2ab676e34a48c398309157af17b99f85c3341eb9d6f4b046c45ebf8bd44e392b99313f28b8fef996ed57

Download Submit
C:\Users\Admin\Documents\Invoice.xlsx

Filesize
18KB

MD5
497eb5ac984d6a8d3b23e72b3d87a974

SHA1
bbc7a034a3038d1b8a560f0eabfb268d3ee8e021

SHA256
109241fd345d38c3e3f27e9aa1ee6700b203b8bdc0c15d89deaa049da91141c3

SHA512
c7c31253e2938038c771d10e67bbe1a53e8063359cec9b14b729ed433e22a7a095bcb55b1099b5003baeb4cca0f05b3d2b2688075af7a057a2e10f8812f8c2d9

Download Submit
\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe

Filesize
2.4MB

MD5
f6637dd80c1bf55fdf7d31f1d857a155

SHA1
e7504efa854c5c6b8dc423d2fe5ace59b270b18b

SHA256
930ed2eef19f9a8fe45fc227cefc8d7369ef251c489b592d1f060f506d68bbba

SHA512
cc23934bc3ef8d886038e04ea7f0a7c4ceba9026183d2ab676e34a48c398309157af17b99f85c3341eb9d6f4b046c45ebf8bd44e392b99313f28b8fef996ed57

Download Submit
\ProgramData\{E960CDFA-25E9-4E26-A33F-3C26E05D3213}\lum.exe

Filesize
2.4MB

MD5
f6637dd80c1bf55fdf7d31f1d857a155

SHA1
e7504efa854c5c6b8dc423d2fe5ace59b270b18b

SHA256
930ed2eef19f9a8fe45fc227cefc8d7369ef251c489b592d1f060f506d68bbba

SHA512
cc23934bc3ef8d886038e04ea7f0a7c4ceba9026183d2ab676e34a48c398309157af17b99f85c3341eb9d6f4b046c45ebf8bd44e392b99313f28b8fef996ed57

Download Submit
\Users\Admin\AppData\Local\Temp\Scan_Doc.xll

Filesize
2.5MB

MD5
ba04aac6f4c36a1593fa81ca60722454

SHA1
0ccd54e2ba3088ce59180a21eb7682f479572550

SHA256
55de849673b3d780491bb00996943f1914de77692b1218e798821fe8c22ea55c

SHA512
7ba50edd4530a9820da132d988f8934b096c33f2ace3e5aa0ec8595041f71aca676e354662840238d66496b3b7b01ba377444ccc3564589b6ffd32d587705be9

Download Submit
\Users\Admin\AppData\Local\Temp\Scan_Doc.xll

Filesize
2.5MB

MD5
ba04aac6f4c36a1593fa81ca60722454

SHA1
0ccd54e2ba3088ce59180a21eb7682f479572550

SHA256
55de849673b3d780491bb00996943f1914de77692b1218e798821fe8c22ea55c

SHA512
7ba50edd4530a9820da132d988f8934b096c33f2ace3e5aa0ec8595041f71aca676e354662840238d66496b3b7b01ba377444ccc3564589b6ffd32d587705be9

Download Submit
memory/1636-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-127-0x000000007381D000-0x0000000073828000-memory.dmp

Filesize
44KB

Download
memory/1636-54-0x000000007381D000-0x0000000073828000-memory.dmp

Filesize
44KB

Download
memory/2300-65-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/2300-66-0x000000007761F000-0x0000000077620000-memory.dmp

Filesize
4KB

Download
memory/2300-90-0x0000000000AD0000-0x0000000000B50000-memory.dmp

Filesize
512KB

Download
memory/2812-87-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2812-97-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2812-82-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2812-83-0x000000007761F000-0x0000000077620000-memory.dmp

Filesize
4KB

Download
memory/2812-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-89-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-91-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-93-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-96-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-99-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-95-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-94-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-98-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-100-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-101-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-102-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-103-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-113-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-112-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-111-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2812-128-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing