Analysis
-
max time kernel
190s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:05
Static task
static1
Behavioral task
behavioral1
Sample
ASSIGNED.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ASSIGNED.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
DHL_RECE.exe
Resource
win7-20220414-en
General
-
Target
DHL_RECE.exe
-
Size
381KB
-
MD5
a003c2bb955b2caab13a30f8e8827f09
-
SHA1
0a716bed3e668c0276910851465adb4fde6c0a49
-
SHA256
2936937ebeead6d1c9b62739331fd975248e2998fcf13c94ee817bbfe501a64b
-
SHA512
8e57ae74646718ca9ca60977daf132108f130dcc68771014e81cb38502f1f26335fcc251eaea5fafcdf3a55ba5f71758f86e24d44f349d31f7022acbcd7e232b
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2068-145-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 39 2068 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2720 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 2720 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 2720 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DHL_RECE.exerundll32.exedescription pid process target process PID 4400 wrote to memory of 2720 4400 DHL_RECE.exe rundll32.exe PID 4400 wrote to memory of 2720 4400 DHL_RECE.exe rundll32.exe PID 4400 wrote to memory of 2720 4400 DHL_RECE.exe rundll32.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe PID 2720 wrote to memory of 2068 2720 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_RECE.exe"C:\Users\Admin\AppData\Local\Temp\DHL_RECE.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe KnowhowMove,Xylol2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CounterfoilFilesize
202KB
MD57b15f5cea41c54e4b02255452673c114
SHA192a999c9dfe29ad8c19b705f5a30c25164784249
SHA256b8ea5fcb8f5515a72d04775697eb8d838a5e6c2caa444ad679ae6154a0b7702c
SHA5120614f136102d27e046ed95e52b91a7e379a641e2724292346b7640a045accb6afe423f13cd857dcfe231ed2a0945b89a4f6a8be9d7eb679a30591054c027f4cc
-
C:\Users\Admin\AppData\Local\Temp\KnowhowMove.DLLFilesize
72KB
MD511d85e62b99dbf03d47ac93ee60b6915
SHA197eb6906ee2026e923165e85f0ba64d100fe6532
SHA2565c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8
SHA51236940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1
-
C:\Users\Admin\AppData\Local\Temp\KnowhowMove.dllFilesize
72KB
MD511d85e62b99dbf03d47ac93ee60b6915
SHA197eb6906ee2026e923165e85f0ba64d100fe6532
SHA2565c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8
SHA51236940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1
-
memory/2068-138-0x0000000000000000-mapping.dmp
-
memory/2068-139-0x00007FFF1B3D0000-0x00007FFF1B5C5000-memory.dmpFilesize
2.0MB
-
memory/2068-144-0x0000000000950000-0x0000000000956000-memory.dmpFilesize
24KB
-
memory/2068-145-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2720-130-0x0000000000000000-mapping.dmp
-
memory/2720-134-0x0000000074070000-0x0000000074138000-memory.dmpFilesize
800KB
-
memory/2720-136-0x00000000754B0000-0x0000000075513000-memory.dmpFilesize
396KB
-
memory/2720-137-0x00007FFF1B3D0000-0x00007FFF1B5C5000-memory.dmpFilesize
2.0MB