Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-02-2021 16:45
Static task
static1
URLScan task
urlscan1
Sample
https://buahpinggang.my/emptiness.php
Behavioral task
behavioral1
Sample
https://buahpinggang.my/emptiness.php
Resource
win10v20201028
General
-
Target
https://buahpinggang.my/emptiness.php
-
Sample
210225-qx3jez1426
Malware Config
Extracted
hancitor
2502_ser3402
http://speritentz.com/8/forum.php
http://afternearde.ru/8/forum.php
http://counivicop.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4648 1744 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 392 2748 rundll32.exe 395 2748 rundll32.exe 397 2748 rundll32.exe -
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\Downloads\0225_27840852049042.doc office_macro_on_action -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2748 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 391 api.ipify.org -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEfirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings firefox.exe -
NTFS ADS 2 IoCs
Processes:
firefox.exeWINWORD.EXEdescription ioc process File created C:\Users\Admin\Downloads\0225_27840852049042.doc:Zone.Identifier firefox.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{EE5DE73D-0769-41CB-95C0-491D3E9C9741}\Hs52qascx.t0mp:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1744 WINWORD.EXE 1744 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2748 rundll32.exe 2748 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
firefox.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4872 firefox.exe Token: SeDebugPrivilege 4872 firefox.exe Token: 33 3948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3948 AUDIODG.EXE Token: SeDebugPrivilege 4872 firefox.exe Token: SeDebugPrivilege 4872 firefox.exe Token: SeDebugPrivilege 4872 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
firefox.exeWINWORD.EXEpid process 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4764 wrote to memory of 4872 4764 firefox.exe firefox.exe PID 4872 wrote to memory of 720 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 720 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 4208 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe PID 4872 wrote to memory of 908 4872 firefox.exe firefox.exe
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://buahpinggang.my/emptiness.php1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://buahpinggang.my/emptiness.php2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.0.332011879\1696152514" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1508 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 1612 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.3.1045707550\1238288905" -childID 1 -isForBrowser -prefsHandle 2196 -prefMapHandle 2192 -prefsLen 156 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 2204 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.13.1368259339\1524521623" -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 7013 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 3236 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.20.1919350552\1239770975" -childID 3 -isForBrowser -prefsHandle 4236 -prefMapHandle 4256 -prefsLen 8126 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4288 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.27.64113736\449692072" -childID 4 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 8437 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 8700 tab3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\0225_27840852049042.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dll,PVAXQXJSHTN2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dll,PVAXQXJSHTN3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Downloads\0225_27840852049042.docMD5
994f9f36af27509b4a08e43d7df3174b
SHA1e2836d2f9e67fa9e4eb143bfa7f62e0b3d789fa8
SHA256a0b22f3949fccda17414c368463f516533361f149b1612c9c0a94efdfe3f6971
SHA5120130d614d34a13b086c306222f7b9e9a6bfb7a8bf2952191a86482ad197b929340ded1fc7c929e07186b8ef921303fb3fc65f68ee56f0aa85108f66237cb941b
-
\??\c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dllMD5
d49945a8e31504028a9bcbd7e23ef060
SHA195430e0b12ebfc9db59548dd392da1d6147b6f7a
SHA256f14a66b9438ce0548a5415e6a3897c171397376eca30a01738d76c7db357bc16
SHA512e3683a1ca7097a2747c87c56da10818c0c1cb46a06b663654ef03167bc62cbe6ad7afc806a2561dcf210c6730842235ef67daf03bba98f80a6f582163e71db64
-
\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Static.dllMD5
d49945a8e31504028a9bcbd7e23ef060
SHA195430e0b12ebfc9db59548dd392da1d6147b6f7a
SHA256f14a66b9438ce0548a5415e6a3897c171397376eca30a01738d76c7db357bc16
SHA512e3683a1ca7097a2747c87c56da10818c0c1cb46a06b663654ef03167bc62cbe6ad7afc806a2561dcf210c6730842235ef67daf03bba98f80a6f582163e71db64
-
memory/720-3-0x0000000000000000-mapping.dmp
-
memory/908-5-0x0000000000000000-mapping.dmp
-
memory/1744-23-0x00007FF934190000-0x00007FF936CB3000-memory.dmpFilesize
43.1MB
-
memory/1744-26-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/1744-9-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/1744-10-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/1744-11-0x00007FF932A00000-0x00007FF933037000-memory.dmpFilesize
6.2MB
-
memory/1744-12-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/1744-8-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/1744-22-0x00007FF934190000-0x00007FF936CB3000-memory.dmpFilesize
43.1MB
-
memory/1744-21-0x00007FF934190000-0x00007FF936CB3000-memory.dmpFilesize
43.1MB
-
memory/1744-27-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/1744-24-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/1744-20-0x00007FF934190000-0x00007FF936CB3000-memory.dmpFilesize
43.1MB
-
memory/1744-25-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmpFilesize
64KB
-
memory/2748-18-0x0000000000000000-mapping.dmp
-
memory/2748-28-0x00000000736C0000-0x00000000736CA000-memory.dmpFilesize
40KB
-
memory/2748-29-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/3264-7-0x0000000000000000-mapping.dmp
-
memory/4208-4-0x0000000000000000-mapping.dmp
-
memory/4308-15-0x0000000002870000-0x0000000002971000-memory.dmpFilesize
1.0MB
-
memory/4308-14-0x0000000000000000-mapping.dmp
-
memory/4504-6-0x0000000000000000-mapping.dmp
-
memory/4648-16-0x0000000000000000-mapping.dmp
-
memory/4872-2-0x0000000000000000-mapping.dmp