hancitor | f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1

Analysis

max time kernel
127s
max time network
126s
platform
windows7_x64
resource
win7
submitted
14-10-2020 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

han.exe
Size

500KB
MD5

e8a8c90d7da67da7ee790e9e49127cf7
SHA1

65731d02a9a9899b1ee72e822d3dab2129fffa9a
SHA256

f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1
SHA512

aa0c0cb8aa0d6864da79cee8e14c3dd70d320d42ca19b999be34a243416011aea3fb9b02a10b860234dde7abfaef6ef4fca704233258beb1b182fb0c043fb9a3

Score

10^/10

hancitor downloader persistence

Malware Config

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Executes dropped EXE 1 IoCs

pid	Process
1836	WinHost32.exe

Deletes itself 1 IoCs

pid	Process
1788	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
616	han.exe
616	han.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinHost32 = "C:\\Windows\\System32\\WinHost32.exe"	han.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHost32.exe	han.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
616	han.exe
1836	WinHost32.exe
1836	WinHost32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1836	616	han.exe	28
PID 616 wrote to memory of 1836	616	han.exe	28
PID 616 wrote to memory of 1836	616	han.exe	28
PID 616 wrote to memory of 1836	616	han.exe	28
PID 616 wrote to memory of 1788	616	han.exe	29
PID 616 wrote to memory of 1788	616	han.exe	29
PID 616 wrote to memory of 1788	616	han.exe	29
PID 616 wrote to memory of 1788	616	han.exe	29

C:\Users\Admin\AppData\Local\Temp\han.exe
"C:\Users\Admin\AppData\Local\Temp\han.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\SysWOW64\WinHost32.exe
  C:\Windows\System32\WinHost32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\han.exe >> NUL
  2⤵
  - Deletes itself
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-5-0x000007FEF7090000-0x000007FEF730A000-memory.dmp

Filesize
2.5MB

Download