Analysis
-
max time kernel
128s -
max time network
127s -
platform
windows7_x64 -
resource
win7 -
submitted
22-10-2020 16:12
General
-
Target
xl.png.exe
-
Size
675KB
-
MD5
e122130010bcf147886f9d29a3c0b40d
-
SHA1
b65a0b20ec97040b929ebaca5ef5970e1017a3f5
-
SHA256
773f5e4bc9f8c4aac82f8cab8f416efe83f5a39735358301c6ca0559d61c8bf0
-
SHA512
a2f55b48fbc0eaa372d4db06b495236f05813c06cf2e31eecd12effae56806a2712be4c72119c518dab390487034b0ecff94f83047d3476d58d67bc24a1f7501
Score
10/10
Malware Config
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xl.png.exe"C:\Users\Admin\AppData\Local\Temp\xl.png.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WinHost32.exeC:\Windows\System32\WinHost32.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exe/c del C:\Users\Admin\AppData\Local\Temp\xl.png.exe >> NUL2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB