Analysis
-
max time kernel
138s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 15:30
Static task
static1
Behavioral task
behavioral1
Sample
0fiasS.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0fiasS.dll
Resource
win10v20201028
General
-
Target
0fiasS.dll
-
Size
459KB
-
MD5
7dafd3cf24542dfb021e4ee6f9af03c4
-
SHA1
2d9445e1483503b2ca1a9451b37cb7144e711498
-
SHA256
6ebc86e6f913ec435d6b7eeda2e0fbedf0fa6cc238af54b18da5c9588df399a3
-
SHA512
d4d9af7ba43840bfc686dcf0f354253dfad5e97efa2b5b87e5d5c1039250f29580db312fbdbd9f2c21751e9f56476a9039ddfb555a1c29dc968b53f58753fde0
Malware Config
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 5 1496 rundll32.exe 7 1496 rundll32.exe 9 1496 rundll32.exe 15 1496 rundll32.exe 16 1496 rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1496 set thread context of 332 1496 rundll32.exe svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exesvchost.exepid process 1496 rundll32.exe 332 svchost.exe 1496 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1640 wrote to memory of 1496 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1496 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1496 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1496 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1496 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1496 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1496 1640 rundll32.exe rundll32.exe PID 1496 wrote to memory of 332 1496 rundll32.exe svchost.exe PID 1496 wrote to memory of 332 1496 rundll32.exe svchost.exe PID 1496 wrote to memory of 332 1496 rundll32.exe svchost.exe PID 1496 wrote to memory of 332 1496 rundll32.exe svchost.exe PID 1496 wrote to memory of 332 1496 rundll32.exe svchost.exe PID 1496 wrote to memory of 332 1496 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fiasS.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fiasS.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/332-4-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/332-5-0x0000000000401480-mapping.dmp
-
memory/332-6-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1496-2-0x0000000000000000-mapping.dmp
-
memory/1584-3-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB