hancitor | e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3

General

Target

in_6.xls
Size

90KB
MD5

d72515d8b2eecab727781df270c548b3
SHA1

1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09
SHA256

e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3
SHA512

66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc

Score

10^/10

hancitor pony 1307_qsew downloader rat spyware stealer

Malware Config

Extracted

Family

hancitor

Botnet

1307_qsew

C2

http://overnightfile.com/4/forum.php

http://toolboxkasa.ru/4/forum.php

http://ibexjade.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3844	3828	regsvr32.exe	EXCEL.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

440 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org

pid	process
440	regsvr32.exe

flow	ioc
23	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

regsvr32.exesvchost.exe

description	pid	process	target process
PID 440 set thread context of 1268	440	regsvr32.exe	svchost.exe
PID 1268 set thread context of 1956	1268	svchost.exe	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2652 440 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
2652	440	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3828 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

svchost.exeWerFault.exe

pid	process
1268	svchost.exe
1268	svchost.exe
1268	svchost.exe
1268	svchost.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1956	svchost.exe
Token: SeTcbPrivilege	1956	svchost.exe
Token: SeChangeNotifyPrivilege	1956	svchost.exe
Token: SeCreateTokenPrivilege	1956	svchost.exe
Token: SeBackupPrivilege	1956	svchost.exe
Token: SeRestorePrivilege	1956	svchost.exe
Token: SeIncreaseQuotaPrivilege	1956	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1956	svchost.exe
Token: SeImpersonatePrivilege	1956	svchost.exe
Token: SeTcbPrivilege	1956	svchost.exe
Token: SeChangeNotifyPrivilege	1956	svchost.exe
Token: SeCreateTokenPrivilege	1956	svchost.exe
Token: SeBackupPrivilege	1956	svchost.exe
Token: SeRestorePrivilege	1956	svchost.exe
Token: SeIncreaseQuotaPrivilege	1956	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1956	svchost.exe
Token: SeImpersonatePrivilege	1956	svchost.exe
Token: SeTcbPrivilege	1956	svchost.exe
Token: SeChangeNotifyPrivilege	1956	svchost.exe
Token: SeCreateTokenPrivilege	1956	svchost.exe
Token: SeBackupPrivilege	1956	svchost.exe
Token: SeRestorePrivilege	1956	svchost.exe
Token: SeIncreaseQuotaPrivilege	1956	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1956	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exesvchost.exe

description	pid	process	target process
PID 3828 wrote to memory of 3844	3828	EXCEL.EXE	regsvr32.exe
PID 3828 wrote to memory of 3844	3828	EXCEL.EXE	regsvr32.exe
PID 3844 wrote to memory of 440	3844	regsvr32.exe	regsvr32.exe
PID 3844 wrote to memory of 440	3844	regsvr32.exe	regsvr32.exe
PID 3844 wrote to memory of 440	3844	regsvr32.exe	regsvr32.exe
PID 440 wrote to memory of 1268	440	regsvr32.exe	svchost.exe
PID 440 wrote to memory of 1268	440	regsvr32.exe	svchost.exe
PID 440 wrote to memory of 1268	440	regsvr32.exe	svchost.exe
PID 440 wrote to memory of 1268	440	regsvr32.exe	svchost.exe
PID 440 wrote to memory of 1268	440	regsvr32.exe	svchost.exe
PID 1268 wrote to memory of 1600	1268	svchost.exe	cmd.exe
PID 1268 wrote to memory of 1600	1268	svchost.exe	cmd.exe
PID 1268 wrote to memory of 1600	1268	svchost.exe	cmd.exe
PID 1268 wrote to memory of 1956	1268	svchost.exe	svchost.exe
PID 1268 wrote to memory of 1956	1268	svchost.exe	svchost.exe
PID 1268 wrote to memory of 1956	1268	svchost.exe	svchost.exe
PID 1268 wrote to memory of 1956	1268	svchost.exe	svchost.exe
PID 1268 wrote to memory of 1956	1268	svchost.exe	svchost.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\in_6.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /i BvkFvmz.ocx
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\regsvr32.exe
/s /i BvkFvmz.ocx
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /K
5⤵
PID:1600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 668
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\BvkFvmz.ocx
MD5
56921bed6e4dd3ba4064557d453e403e

SHA1
9a2ec0abbde02b61d56990882ea6c43d833114b3

SHA256
a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea

SHA512
d27da6d2386185d1ea76a195bee2d72e1ac229b841f4b60eafe0e4055cbaaaeecd99e1d9f0693eab660fa480baa74a00ad9a0ca43b392a83d285ddea4bf8911c

Download Submit
\Users\Admin\Documents\BvkFvmz.ocx
MD5
56921bed6e4dd3ba4064557d453e403e

SHA1
9a2ec0abbde02b61d56990882ea6c43d833114b3

SHA256
a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea

SHA512
d27da6d2386185d1ea76a195bee2d72e1ac229b841f4b60eafe0e4055cbaaaeecd99e1d9f0693eab660fa480baa74a00ad9a0ca43b392a83d285ddea4bf8911c

Download Submit
memory/440-15-0x0000000000000000-mapping.dmp

Download
memory/440-2-0x0000000000000000-mapping.dmp

Download
memory/440-24-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/440-22-0x0000000000000000-mapping.dmp

Download
memory/440-21-0x0000000000000000-mapping.dmp

Download
memory/440-17-0x0000000000000000-mapping.dmp

Download
memory/440-16-0x0000000000000000-mapping.dmp

Download
memory/1268-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1268-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1268-5-0x0000000000402960-mapping.dmp

Download
memory/1600-7-0x0000000000000000-mapping.dmp

Download
memory/1956-10-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/1956-9-0x000000000BC01067-mapping.dmp

Download
memory/1956-8-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/2652-14-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2652-18-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3844-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads