Static

static

8

offer_05634.xlsm

windows7_x64

6

offer_05634.xlsm

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    12-05-2020 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    offer_05634.xlsm

  • Size

    115KB

  • MD5

    3e0bbe29e435b2a5bf66091b2bc4efcf

  • SHA1

    af4abd629cf997d80e2a57a37c4fd6408097e324

  • SHA256

    27ba6b6b56747320708fc658ba659bc5d3f77545453ee879cfc6ae210636786c

  • SHA512

    1acd893cd2d57573221dec7ec553eb7f513902d34c8669c15469ec1ca5829d6524cc5c4623c9cf39e863d6203e83343ac1915d2ee24a6be0a2eafdfa353d5c4c

Score
10/10
hancitorpony0405_784793234downloaderratspywarestealer

Malware Config

Extracted

Family

hancitor

Botnet

0405_784793234

C2

http://libuions.com/4/forum.php

http://feredrazac.ru/4/forum.php

http://urumerael.ru/4/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 67 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\offer_05634.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /i C:\ProgramData\dwrgMVW.ocx
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\regsvr32.exe
        /s /i C:\ProgramData\dwrgMVW.ocx
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\System32\svchost.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:500
          • C:\Windows\SysWOW64\cmd.exe
            cmd /K
            5⤵
              PID:1076
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\System32\svchost.exe
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3764
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 688
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3396

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\dwrgMVW.ocx
      MD5

      64a8038e7c00538cd34ae3f153acac1a

      SHA1

      bdd00a11bf7db90dc008ede421a6a5ef79121fd0

      SHA256

      e892dbc4036d53ede078f61452515f549d8bac9a471adff6c3a9bad0b99965d2

      SHA512

      3d5f6e3fbb4f74047bb0519a1028405a7983ae58a1d945f6d30d1662d92abe9b8b4117fa8526078b8bc5f7f989c23cb7bc5618605e0188ca80962eb4665120a0

      Download Submit
    • \ProgramData\dwrgMVW.ocx
      MD5

      64a8038e7c00538cd34ae3f153acac1a

      SHA1

      bdd00a11bf7db90dc008ede421a6a5ef79121fd0

      SHA256

      e892dbc4036d53ede078f61452515f549d8bac9a471adff6c3a9bad0b99965d2

      SHA512

      3d5f6e3fbb4f74047bb0519a1028405a7983ae58a1d945f6d30d1662d92abe9b8b4117fa8526078b8bc5f7f989c23cb7bc5618605e0188ca80962eb4665120a0

      Download Submit
    • memory/500-2-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/500-3-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3396-4-0x0000000004C30000-0x0000000004C31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3396-5-0x0000000005160000-0x0000000005161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3764-6-0x000000000BC00000-0x000000000BC12000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3764-7-0x000000000BC00000-0x000000000BC12000-memory.dmp
      Filesize

      72KB

      Download