hancitor | e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3

Analysis

max time kernel
135s
max time network
142s
platform
windows10_x64
resource
win10
submitted
15-07-2020 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

in_6.xls
Size

90KB
MD5

d72515d8b2eecab727781df270c548b3
SHA1

1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09
SHA256

e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3
SHA512

66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc

Score

10^/10

hancitor pony 1307_qsew downloader rat spyware stealer

Malware Config

Extracted

Family

hancitor

Botnet

1307_qsew

http://overnightfile.com/4/forum.php

http://toolboxkasa.ru/4/forum.php

http://ibexjade.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3844	3828	regsvr32.exe	66

Loads dropped DLL 1 IoCs

pid	Process
440	regsvr32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 440 set thread context of 1268	440	regsvr32.exe	76
PID 1268 set thread context of 1956	1268	svchost.exe	79

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	440	WerFault.exe	74

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3828	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1268	svchost.exe
1268	svchost.exe
1268	svchost.exe
1268	svchost.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Suspicious use of AdjustPrivilegeToken 67 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeChangeNotifyPrivilege	1268	svchost.exe
Token: SeCreateTokenPrivilege	1268	svchost.exe
Token: SeBackupPrivilege	1268	svchost.exe
Token: SeRestorePrivilege	1268	svchost.exe
Token: SeIncreaseQuotaPrivilege	1268	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1268	svchost.exe
Token: SeImpersonatePrivilege	1956	svchost.exe
Token: SeTcbPrivilege	1956	svchost.exe
Token: SeChangeNotifyPrivilege	1956	svchost.exe
Token: SeCreateTokenPrivilege	1956	svchost.exe
Token: SeBackupPrivilege	1956	svchost.exe
Token: SeRestorePrivilege	1956	svchost.exe
Token: SeIncreaseQuotaPrivilege	1956	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1956	svchost.exe
Token: SeImpersonatePrivilege	1956	svchost.exe
Token: SeTcbPrivilege	1956	svchost.exe
Token: SeChangeNotifyPrivilege	1956	svchost.exe
Token: SeCreateTokenPrivilege	1956	svchost.exe
Token: SeBackupPrivilege	1956	svchost.exe
Token: SeRestorePrivilege	1956	svchost.exe
Token: SeIncreaseQuotaPrivilege	1956	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1956	svchost.exe
Token: SeImpersonatePrivilege	1956	svchost.exe
Token: SeTcbPrivilege	1956	svchost.exe
Token: SeChangeNotifyPrivilege	1956	svchost.exe
Token: SeCreateTokenPrivilege	1956	svchost.exe
Token: SeBackupPrivilege	1956	svchost.exe
Token: SeRestorePrivilege	1956	svchost.exe
Token: SeIncreaseQuotaPrivilege	1956	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1956	svchost.exe
Token: SeRestorePrivilege	2652	WerFault.exe
Token: SeBackupPrivilege	2652	WerFault.exe
Token: SeDebugPrivilege	2652	WerFault.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 3844	3828	EXCEL.EXE	73
PID 3828 wrote to memory of 3844	3828	EXCEL.EXE	73
PID 3844 wrote to memory of 440	3844	regsvr32.exe	74
PID 3844 wrote to memory of 440	3844	regsvr32.exe	74
PID 3844 wrote to memory of 440	3844	regsvr32.exe	74
PID 440 wrote to memory of 1268	440	regsvr32.exe	76
PID 440 wrote to memory of 1268	440	regsvr32.exe	76
PID 440 wrote to memory of 1268	440	regsvr32.exe	76
PID 440 wrote to memory of 1268	440	regsvr32.exe	76
PID 440 wrote to memory of 1268	440	regsvr32.exe	76
PID 1268 wrote to memory of 1600	1268	svchost.exe	77
PID 1268 wrote to memory of 1600	1268	svchost.exe	77
PID 1268 wrote to memory of 1600	1268	svchost.exe	77
PID 1268 wrote to memory of 1956	1268	svchost.exe	79
PID 1268 wrote to memory of 1956	1268	svchost.exe	79
PID 1268 wrote to memory of 1956	1268	svchost.exe	79
PID 1268 wrote to memory of 1956	1268	svchost.exe	79
PID 1268 wrote to memory of 1956	1268	svchost.exe	79

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\in_6.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /i BvkFvmz.ocx
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\regsvr32.exe
    /s /i BvkFvmz.ocx
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\System32\svchost.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /K
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\System32\svchost.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 668
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/440-24-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1268-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1268-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1956-10-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/1956-8-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/2652-14-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2652-18-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download