Overview

overview

10

Static

static

1

parcel.exe

windows7_x64

10

parcel.exe

windows10_x64

10

Analysis

  • max time kernel
    2s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-03-2021 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    parcel.exe

  • Size

    387KB

  • MD5

    f36dbd08d89de65427f8f2474507c89c

  • SHA1

    4f7c2447d738c18e70160fb12a66e3b8913e8594

  • SHA256

    bdfb906a3a02d8a28bef1d13d0abff090bc9582373e05e5f376186e9a7c5a902

  • SHA512

    dee3bdeaf4c71fc212a66c04781d476f96bbcb9862f177ab383644137aa6993f04bd5ea9bc1e2d3055f90de7d1ca5346322d6b48fd4c3e7c46aa0c050279f20b

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\parcel.exe
    "C:\Users\Admin\AppData\Local\Temp\parcel.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\parcel.exe
      "C:\Users\Admin\AppData\Local\Temp\parcel.exe"
      2⤵
        PID:1496

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nss59D.tmp\a6z17y9ihy82n.dll
      MD5

      879c9fb7bfcf4ba604bf7ec9c17ec263

      SHA1

      3f9f01f75bb29b6224c19ddf6454b03b91e88b9c

      SHA256

      5ce6c28061dd194d0ea22444b29eaacf1fca15772771dd1f2840983c8ef20dd9

      SHA512

      21f07126132254a1207e6b99feb61448d44fa5895f2a8ee961f97c15ee78590bc217c8dca3394c682538dd09b7e713b423e0ed98c7ef03c60b7fc52538fa7c45

      Download Submit
    • memory/1496-4-0x000000000040242D-mapping.dmp
      Download
    • memory/1496-6-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1684-2-0x00000000756A1000-0x00000000756A3000-memory.dmp
      Filesize

      8KB

      Download