Analysis
-
max time kernel
2s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 07:26
Static task
static1
Behavioral task
behavioral1
Sample
parcel.exe
Resource
win7v20201028
General
-
Target
parcel.exe
-
Size
387KB
-
MD5
f36dbd08d89de65427f8f2474507c89c
-
SHA1
4f7c2447d738c18e70160fb12a66e3b8913e8594
-
SHA256
bdfb906a3a02d8a28bef1d13d0abff090bc9582373e05e5f376186e9a7c5a902
-
SHA512
dee3bdeaf4c71fc212a66c04781d476f96bbcb9862f177ab383644137aa6993f04bd5ea9bc1e2d3055f90de7d1ca5346322d6b48fd4c3e7c46aa0c050279f20b
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1496-6-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Loads dropped DLL 1 IoCs
Processes:
parcel.exepid process 1684 parcel.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
parcel.exedescription pid process target process PID 1684 set thread context of 1496 1684 parcel.exe parcel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
parcel.exepid process 1684 parcel.exe 1684 parcel.exe 1684 parcel.exe 1684 parcel.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
parcel.exepid process 1684 parcel.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
parcel.exedescription pid process target process PID 1684 wrote to memory of 1496 1684 parcel.exe parcel.exe PID 1684 wrote to memory of 1496 1684 parcel.exe parcel.exe PID 1684 wrote to memory of 1496 1684 parcel.exe parcel.exe PID 1684 wrote to memory of 1496 1684 parcel.exe parcel.exe PID 1684 wrote to memory of 1496 1684 parcel.exe parcel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\parcel.exe"C:\Users\Admin\AppData\Local\Temp\parcel.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\parcel.exe"C:\Users\Admin\AppData\Local\Temp\parcel.exe"2⤵PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nss59D.tmp\a6z17y9ihy82n.dllMD5
879c9fb7bfcf4ba604bf7ec9c17ec263
SHA13f9f01f75bb29b6224c19ddf6454b03b91e88b9c
SHA2565ce6c28061dd194d0ea22444b29eaacf1fca15772771dd1f2840983c8ef20dd9
SHA51221f07126132254a1207e6b99feb61448d44fa5895f2a8ee961f97c15ee78590bc217c8dca3394c682538dd09b7e713b423e0ed98c7ef03c60b7fc52538fa7c45
-
memory/1496-4-0x000000000040242D-mapping.dmp
-
memory/1496-6-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1684-2-0x00000000756A1000-0x00000000756A3000-memory.dmpFilesize
8KB