Analysis
-
max time kernel
139s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-02-2021 18:42
Static task
static1
Behavioral task
behavioral1
Sample
0217_1737094153981.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0217_1737094153981.doc
Resource
win10v20201028
General
-
Target
0217_1737094153981.doc
-
Size
391KB
-
MD5
df3d7fcf63c6fd0c482d88aed6eecb1d
-
SHA1
b790953f90ac8af2d7db4ce6454f451e809aab77
-
SHA256
bd768d902abb211edf805fddc926ad87287a770c70ac62475ad4f25d1f314d39
-
SHA512
80a3f01ed294f549621ce0c2a5a09bc1b86adcdb7e3ab5a98064020de923fb9e022f490c5bb4dde5f5214fbc00749bab033311be5b45201795c0716c434c685d
Malware Config
Extracted
hancitor
1702_pro23
http://hatuderefer.com/8/forum.php
http://thavelede.ru/8/forum.php
http://zinsubtal.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1228 1456 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 28 1256 rundll32.exe 30 1256 rundll32.exe 36 1256 rundll32.exe 38 1256 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1256 rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1256 set thread context of 1924 1256 rundll32.exe svchost.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEsvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{D903C88B-5581-459E-A036-0C4CD24651D9}\Hs52qascx.t0mp:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1456 WINWORD.EXE 1456 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exesvchost.exepid process 1256 rundll32.exe 1256 rundll32.exe 1924 svchost.exe 1924 svchost.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXErundll32.exerundll32.exedescription pid process target process PID 1456 wrote to memory of 1176 1456 WINWORD.EXE splwow64.exe PID 1456 wrote to memory of 1176 1456 WINWORD.EXE splwow64.exe PID 1456 wrote to memory of 1228 1456 WINWORD.EXE rundll32.exe PID 1456 wrote to memory of 1228 1456 WINWORD.EXE rundll32.exe PID 1228 wrote to memory of 1256 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1256 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1256 1228 rundll32.exe rundll32.exe PID 1256 wrote to memory of 1924 1256 rundll32.exe svchost.exe PID 1256 wrote to memory of 1924 1256 rundll32.exe svchost.exe PID 1256 wrote to memory of 1924 1256 rundll32.exe svchost.exe PID 1256 wrote to memory of 1924 1256 rundll32.exe svchost.exe PID 1256 wrote to memory of 1924 1256 rundll32.exe svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0217_1737094153981.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,TLBDQKFFLRJ2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,TLBDQKFFLRJ3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
ba5d13d64133ff19ab43207d23f467c3
SHA1449e77998a825d543995e138e10aa665381d97d3
SHA256ca28945917b92e552b7c7bacb6421bce34285f4bab5290ce14637d84ca5621e8
SHA512fb33e5ae73a642346d889271fc0fe3f90b5292a6792a4afd00dee7d5a11401bc0af20ce55b3552cac72bb4304929997de627aabdbdcc23b16826da31a052db9f
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
ba5d13d64133ff19ab43207d23f467c3
SHA1449e77998a825d543995e138e10aa665381d97d3
SHA256ca28945917b92e552b7c7bacb6421bce34285f4bab5290ce14637d84ca5621e8
SHA512fb33e5ae73a642346d889271fc0fe3f90b5292a6792a4afd00dee7d5a11401bc0af20ce55b3552cac72bb4304929997de627aabdbdcc23b16826da31a052db9f
-
memory/1176-7-0x0000000000000000-mapping.dmp
-
memory/1176-8-0x0000000002140000-0x0000000002241000-memory.dmpFilesize
1.0MB
-
memory/1228-9-0x0000000000000000-mapping.dmp
-
memory/1256-14-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/1256-11-0x0000000000000000-mapping.dmp
-
memory/1256-13-0x0000000073960000-0x000000007396A000-memory.dmpFilesize
40KB
-
memory/1456-6-0x00007FFB52C70000-0x00007FFB532A7000-memory.dmpFilesize
6.2MB
-
memory/1456-5-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1456-4-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1456-3-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1456-2-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1924-15-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1924-16-0x0000000000401480-mapping.dmp
-
memory/1924-17-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB