Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows10_x64 -
resource
win10 -
submitted
15-07-2020 22:55
Behavioral task
behavioral1
Sample
in_6.xls
Resource
win7v200430
General
-
Target
in_6.xls
-
Size
90KB
-
MD5
d72515d8b2eecab727781df270c548b3
-
SHA1
1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09
-
SHA256
e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3
-
SHA512
66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc
Malware Config
Extracted
hancitor
1307_qsew
http://overnightfile.com/4/forum.php
http://toolboxkasa.ru/4/forum.php
http://ibexjade.ru/4/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3844 3828 regsvr32.exe EXCEL.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 440 regsvr32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
Processes:
regsvr32.exesvchost.exedescription pid process target process PID 440 set thread context of 1268 440 regsvr32.exe svchost.exe PID 1268 set thread context of 1956 1268 svchost.exe svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2652 440 WerFault.exe regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3828 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
svchost.exeWerFault.exepid process 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 1268 svchost.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 67 IoCs
Processes:
svchost.exesvchost.exedescription pid process Token: SeImpersonatePrivilege 1268 svchost.exe Token: SeTcbPrivilege 1268 svchost.exe Token: SeChangeNotifyPrivilege 1268 svchost.exe Token: SeCreateTokenPrivilege 1268 svchost.exe Token: SeBackupPrivilege 1268 svchost.exe Token: SeRestorePrivilege 1268 svchost.exe Token: SeIncreaseQuotaPrivilege 1268 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1268 svchost.exe Token: SeImpersonatePrivilege 1268 svchost.exe Token: SeTcbPrivilege 1268 svchost.exe Token: SeChangeNotifyPrivilege 1268 svchost.exe Token: SeCreateTokenPrivilege 1268 svchost.exe Token: SeBackupPrivilege 1268 svchost.exe Token: SeRestorePrivilege 1268 svchost.exe Token: SeIncreaseQuotaPrivilege 1268 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1268 svchost.exe Token: SeImpersonatePrivilege 1268 svchost.exe Token: SeTcbPrivilege 1268 svchost.exe Token: SeChangeNotifyPrivilege 1268 svchost.exe Token: SeCreateTokenPrivilege 1268 svchost.exe Token: SeBackupPrivilege 1268 svchost.exe Token: SeRestorePrivilege 1268 svchost.exe Token: SeIncreaseQuotaPrivilege 1268 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1268 svchost.exe Token: SeImpersonatePrivilege 1268 svchost.exe Token: SeTcbPrivilege 1268 svchost.exe Token: SeChangeNotifyPrivilege 1268 svchost.exe Token: SeCreateTokenPrivilege 1268 svchost.exe Token: SeBackupPrivilege 1268 svchost.exe Token: SeRestorePrivilege 1268 svchost.exe Token: SeIncreaseQuotaPrivilege 1268 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1268 svchost.exe Token: SeImpersonatePrivilege 1268 svchost.exe Token: SeTcbPrivilege 1268 svchost.exe Token: SeChangeNotifyPrivilege 1268 svchost.exe Token: SeCreateTokenPrivilege 1268 svchost.exe Token: SeBackupPrivilege 1268 svchost.exe Token: SeRestorePrivilege 1268 svchost.exe Token: SeIncreaseQuotaPrivilege 1268 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1268 svchost.exe Token: SeImpersonatePrivilege 1956 svchost.exe Token: SeTcbPrivilege 1956 svchost.exe Token: SeChangeNotifyPrivilege 1956 svchost.exe Token: SeCreateTokenPrivilege 1956 svchost.exe Token: SeBackupPrivilege 1956 svchost.exe Token: SeRestorePrivilege 1956 svchost.exe Token: SeIncreaseQuotaPrivilege 1956 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1956 svchost.exe Token: SeImpersonatePrivilege 1956 svchost.exe Token: SeTcbPrivilege 1956 svchost.exe Token: SeChangeNotifyPrivilege 1956 svchost.exe Token: SeCreateTokenPrivilege 1956 svchost.exe Token: SeBackupPrivilege 1956 svchost.exe Token: SeRestorePrivilege 1956 svchost.exe Token: SeIncreaseQuotaPrivilege 1956 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1956 svchost.exe Token: SeImpersonatePrivilege 1956 svchost.exe Token: SeTcbPrivilege 1956 svchost.exe Token: SeChangeNotifyPrivilege 1956 svchost.exe Token: SeCreateTokenPrivilege 1956 svchost.exe Token: SeBackupPrivilege 1956 svchost.exe Token: SeRestorePrivilege 1956 svchost.exe Token: SeIncreaseQuotaPrivilege 1956 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1956 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EXCEL.EXEregsvr32.exeregsvr32.exesvchost.exedescription pid process target process PID 3828 wrote to memory of 3844 3828 EXCEL.EXE regsvr32.exe PID 3828 wrote to memory of 3844 3828 EXCEL.EXE regsvr32.exe PID 3844 wrote to memory of 440 3844 regsvr32.exe regsvr32.exe PID 3844 wrote to memory of 440 3844 regsvr32.exe regsvr32.exe PID 3844 wrote to memory of 440 3844 regsvr32.exe regsvr32.exe PID 440 wrote to memory of 1268 440 regsvr32.exe svchost.exe PID 440 wrote to memory of 1268 440 regsvr32.exe svchost.exe PID 440 wrote to memory of 1268 440 regsvr32.exe svchost.exe PID 440 wrote to memory of 1268 440 regsvr32.exe svchost.exe PID 440 wrote to memory of 1268 440 regsvr32.exe svchost.exe PID 1268 wrote to memory of 1600 1268 svchost.exe cmd.exe PID 1268 wrote to memory of 1600 1268 svchost.exe cmd.exe PID 1268 wrote to memory of 1600 1268 svchost.exe cmd.exe PID 1268 wrote to memory of 1956 1268 svchost.exe svchost.exe PID 1268 wrote to memory of 1956 1268 svchost.exe svchost.exe PID 1268 wrote to memory of 1956 1268 svchost.exe svchost.exe PID 1268 wrote to memory of 1956 1268 svchost.exe svchost.exe PID 1268 wrote to memory of 1956 1268 svchost.exe svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\in_6.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /i BvkFvmz.ocx2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s /i BvkFvmz.ocx3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /K5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 6684⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\BvkFvmz.ocxMD5
56921bed6e4dd3ba4064557d453e403e
SHA19a2ec0abbde02b61d56990882ea6c43d833114b3
SHA256a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea
SHA512d27da6d2386185d1ea76a195bee2d72e1ac229b841f4b60eafe0e4055cbaaaeecd99e1d9f0693eab660fa480baa74a00ad9a0ca43b392a83d285ddea4bf8911c
-
\Users\Admin\Documents\BvkFvmz.ocxMD5
56921bed6e4dd3ba4064557d453e403e
SHA19a2ec0abbde02b61d56990882ea6c43d833114b3
SHA256a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea
SHA512d27da6d2386185d1ea76a195bee2d72e1ac229b841f4b60eafe0e4055cbaaaeecd99e1d9f0693eab660fa480baa74a00ad9a0ca43b392a83d285ddea4bf8911c
-
memory/440-15-0x0000000000000000-mapping.dmp
-
memory/440-2-0x0000000000000000-mapping.dmp
-
memory/440-24-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/440-22-0x0000000000000000-mapping.dmp
-
memory/440-21-0x0000000000000000-mapping.dmp
-
memory/440-17-0x0000000000000000-mapping.dmp
-
memory/440-16-0x0000000000000000-mapping.dmp
-
memory/1268-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1268-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1268-5-0x0000000000402960-mapping.dmp
-
memory/1600-7-0x0000000000000000-mapping.dmp
-
memory/1956-10-0x000000000BC00000-0x000000000BC12000-memory.dmpFilesize
72KB
-
memory/1956-9-0x000000000BC01067-mapping.dmp
-
memory/1956-8-0x000000000BC00000-0x000000000BC12000-memory.dmpFilesize
72KB
-
memory/2652-14-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/2652-18-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/3844-0-0x0000000000000000-mapping.dmp