Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
14-10-2020 17:01
Static task
static1
Behavioral task
behavioral1
Sample
han.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
han.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
han.exe
-
Size
500KB
-
MD5
e8a8c90d7da67da7ee790e9e49127cf7
-
SHA1
65731d02a9a9899b1ee72e822d3dab2129fffa9a
-
SHA256
f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1
-
SHA512
aa0c0cb8aa0d6864da79cee8e14c3dd70d320d42ca19b999be34a243416011aea3fb9b02a10b860234dde7abfaef6ef4fca704233258beb1b182fb0c043fb9a3
Score
10/10
Malware Config
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Executes dropped EXE 1 IoCs
pid Process 1980 WinHost32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinHost32 = "C:\\Windows\\System32\\WinHost32.exe" han.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 api.ipify.org -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHost32.exe han.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 584 han.exe 584 han.exe 1980 WinHost32.exe 1980 WinHost32.exe 1980 WinHost32.exe 1980 WinHost32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 584 wrote to memory of 1980 584 han.exe 76 PID 584 wrote to memory of 1980 584 han.exe 76 PID 584 wrote to memory of 1980 584 han.exe 76 PID 584 wrote to memory of 3132 584 han.exe 77 PID 584 wrote to memory of 3132 584 han.exe 77 PID 584 wrote to memory of 3132 584 han.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\han.exe"C:\Users\Admin\AppData\Local\Temp\han.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\WinHost32.exeC:\Windows\System32\WinHost32.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
-
C:\Windows\SysWOW64\cmd.exe/c del C:\Users\Admin\AppData\Local\Temp\han.exe >> NUL2⤵PID:3132
-