netwire | bdfb906a3a02d8a28bef1d13d0abff090bc9582373e05e5f376186e9a7c5a902

Analysis

Target

parcel.exe
Size

387KB
MD5

f36dbd08d89de65427f8f2474507c89c
SHA1

4f7c2447d738c18e70160fb12a66e3b8913e8594
SHA256

bdfb906a3a02d8a28bef1d13d0abff090bc9582373e05e5f376186e9a7c5a902
SHA512

dee3bdeaf4c71fc212a66c04781d476f96bbcb9862f177ab383644137aa6993f04bd5ea9bc1e2d3055f90de7d1ca5346322d6b48fd4c3e7c46aa0c050279f20b

Score

10^/10

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2712-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Loads dropped DLL 1 IoCs

Processes:

parcel.exe

pid process

3132 parcel.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

parcel.exe

description pid process target process

PID 3132 set thread context of 2712 3132 parcel.exe parcel.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

parcel.exe

pid process

3132 parcel.exe
3132 parcel.exe
3132 parcel.exe
3132 parcel.exe
3132 parcel.exe
3132 parcel.exe
3132 parcel.exe
3132 parcel.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

parcel.exe

pid process

3132 parcel.exe

pid	process
3132	parcel.exe

description	pid	process	target process
PID 3132 set thread context of 2712	3132	parcel.exe	parcel.exe

pid	process
3132	parcel.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

parcel.exe

description	pid	process	target process
PID 3132 wrote to memory of 2712	3132	parcel.exe	parcel.exe
PID 3132 wrote to memory of 2712	3132	parcel.exe	parcel.exe
PID 3132 wrote to memory of 2712	3132	parcel.exe	parcel.exe
PID 3132 wrote to memory of 2712	3132	parcel.exe	parcel.exe

C:\Users\Admin\AppData\Local\Temp\parcel.exe
"C:\Users\Admin\AppData\Local\Temp\parcel.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\parcel.exe
  "C:\Users\Admin\AppData\Local\Temp\parcel.exe"
  2⤵
  PID:2712

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\nst2A62.tmp\a6z17y9ihy82n.dll

MD5
879c9fb7bfcf4ba604bf7ec9c17ec263

SHA1
3f9f01f75bb29b6224c19ddf6454b03b91e88b9c

SHA256
5ce6c28061dd194d0ea22444b29eaacf1fca15772771dd1f2840983c8ef20dd9

SHA512
21f07126132254a1207e6b99feb61448d44fa5895f2a8ee961f97c15ee78590bc217c8dca3394c682538dd09b7e713b423e0ed98c7ef03c60b7fc52538fa7c45

Download Submit
memory/2712-3-0x000000000040242D-mapping.dmp

Download
memory/2712-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download