Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows7_x64 -
resource
win7 -
submitted
28-10-2020 15:34
General
-
Target
exect.exe
-
Size
670KB
-
MD5
28e9316fb298d2e7a3d9fd71c662b3ec
-
SHA1
1c3737add4444a2cb0842d1a5535005b7aa8e7a4
-
SHA256
de5e9077481f7cf0b1addaeaaf21d6d39cabed2eea02276aaf9c241bce446c3d
-
SHA512
ccf5bfd384e231180a8e1153b45a0be518d17dc782335d47c543f9dba48cd03c6bf7ce0b34dde92b88f404e248e7484dfac6c1f39dde5a40f40eafdf53eb7bce
Score
10/10
Malware Config
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\exect.exe"C:\Users\Admin\AppData\Local\Temp\exect.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WinHost32.exeC:\Windows\System32\WinHost32.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exe/c del C:\Users\Admin\AppData\Local\Temp\exect.exe >> NUL2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB