Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 13:05
Static task
static1
Behavioral task
behavioral1
Sample
ASSIGNED.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ASSIGNED.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
DHL_RECE.exe
Resource
win7-20220414-en
General
-
Target
DHL_RECE.exe
-
Size
381KB
-
MD5
a003c2bb955b2caab13a30f8e8827f09
-
SHA1
0a716bed3e668c0276910851465adb4fde6c0a49
-
SHA256
2936937ebeead6d1c9b62739331fd975248e2998fcf13c94ee817bbfe501a64b
-
SHA512
8e57ae74646718ca9ca60977daf132108f130dcc68771014e81cb38502f1f26335fcc251eaea5fafcdf3a55ba5f71758f86e24d44f349d31f7022acbcd7e232b
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1128-72-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Blocklisted process makes network request 64 IoCs
Processes:
cmd.exeflow pid process 4 1128 cmd.exe 5 1128 cmd.exe 6 1128 cmd.exe 7 1128 cmd.exe 8 1128 cmd.exe 9 1128 cmd.exe 10 1128 cmd.exe 11 1128 cmd.exe 12 1128 cmd.exe 13 1128 cmd.exe 14 1128 cmd.exe 15 1128 cmd.exe 16 1128 cmd.exe 17 1128 cmd.exe 18 1128 cmd.exe 19 1128 cmd.exe 20 1128 cmd.exe 21 1128 cmd.exe 22 1128 cmd.exe 23 1128 cmd.exe 24 1128 cmd.exe 25 1128 cmd.exe 26 1128 cmd.exe 27 1128 cmd.exe 28 1128 cmd.exe 29 1128 cmd.exe 30 1128 cmd.exe 31 1128 cmd.exe 32 1128 cmd.exe 33 1128 cmd.exe 34 1128 cmd.exe 35 1128 cmd.exe 36 1128 cmd.exe 37 1128 cmd.exe 38 1128 cmd.exe 39 1128 cmd.exe 40 1128 cmd.exe 41 1128 cmd.exe 42 1128 cmd.exe 43 1128 cmd.exe 44 1128 cmd.exe 45 1128 cmd.exe 46 1128 cmd.exe 47 1128 cmd.exe 48 1128 cmd.exe 49 1128 cmd.exe 50 1128 cmd.exe 51 1128 cmd.exe 52 1128 cmd.exe 53 1128 cmd.exe 54 1128 cmd.exe 55 1128 cmd.exe 56 1128 cmd.exe 57 1128 cmd.exe 58 1128 cmd.exe 59 1128 cmd.exe 60 1128 cmd.exe 61 1128 cmd.exe 62 1128 cmd.exe 63 1128 cmd.exe 64 1128 cmd.exe 65 1128 cmd.exe 66 1128 cmd.exe 67 1128 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1300 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1300 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 1300 rundll32.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
DHL_RECE.exerundll32.exedescription pid process target process PID 1984 wrote to memory of 1300 1984 DHL_RECE.exe rundll32.exe PID 1984 wrote to memory of 1300 1984 DHL_RECE.exe rundll32.exe PID 1984 wrote to memory of 1300 1984 DHL_RECE.exe rundll32.exe PID 1984 wrote to memory of 1300 1984 DHL_RECE.exe rundll32.exe PID 1984 wrote to memory of 1300 1984 DHL_RECE.exe rundll32.exe PID 1984 wrote to memory of 1300 1984 DHL_RECE.exe rundll32.exe PID 1984 wrote to memory of 1300 1984 DHL_RECE.exe rundll32.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe PID 1300 wrote to memory of 1128 1300 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_RECE.exe"C:\Users\Admin\AppData\Local\Temp\DHL_RECE.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe KnowhowMove,Xylol2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CounterfoilFilesize
202KB
MD57b15f5cea41c54e4b02255452673c114
SHA192a999c9dfe29ad8c19b705f5a30c25164784249
SHA256b8ea5fcb8f5515a72d04775697eb8d838a5e6c2caa444ad679ae6154a0b7702c
SHA5120614f136102d27e046ed95e52b91a7e379a641e2724292346b7640a045accb6afe423f13cd857dcfe231ed2a0945b89a4f6a8be9d7eb679a30591054c027f4cc
-
C:\Users\Admin\AppData\Local\Temp\KnowhowMove.DLLFilesize
72KB
MD511d85e62b99dbf03d47ac93ee60b6915
SHA197eb6906ee2026e923165e85f0ba64d100fe6532
SHA2565c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8
SHA51236940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1
-
\Users\Admin\AppData\Local\Temp\KnowhowMove.dllFilesize
72KB
MD511d85e62b99dbf03d47ac93ee60b6915
SHA197eb6906ee2026e923165e85f0ba64d100fe6532
SHA2565c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8
SHA51236940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1
-
memory/1128-64-0x0000000000000000-mapping.dmp
-
memory/1128-66-0x00000000774C0000-0x0000000077669000-memory.dmpFilesize
1.7MB
-
memory/1128-67-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/1128-72-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1300-55-0x0000000000000000-mapping.dmp
-
memory/1300-60-0x0000000074860000-0x00000000748B8000-memory.dmpFilesize
352KB
-
memory/1300-62-0x0000000075E20000-0x0000000075E55000-memory.dmpFilesize
212KB
-
memory/1300-63-0x00000000774C0000-0x0000000077669000-memory.dmpFilesize
1.7MB
-
memory/1984-54-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB