Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25/02/2021, 16:45
Static task
static1
URLScan task
urlscan1
Sample
https://buahpinggang.my/emptiness.php
Behavioral task
behavioral1
Sample
https://buahpinggang.my/emptiness.php
Resource
win10v20201028
General
-
Target
https://buahpinggang.my/emptiness.php
-
Sample
210225-qx3jez1426
Malware Config
Extracted
hancitor
2502_ser3402
http://speritentz.com/8/forum.php
http://afternearde.ru/8/forum.php
http://counivicop.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4648 1744 rundll32.exe 85 -
Blocklisted process makes network request 3 IoCs
flow pid Process 392 2748 rundll32.exe 395 2748 rundll32.exe 397 2748 rundll32.exe -
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral1/files/0x000400000001ab84-13.dat office_macro_on_action -
Loads dropped DLL 1 IoCs
pid Process 2748 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 391 api.ipify.org -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings firefox.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Downloads\0225_27840852049042.doc:Zone.Identifier firefox.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{EE5DE73D-0769-41CB-95C0-491D3E9C9741}\Hs52qascx.t0mp:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1744 WINWORD.EXE 1744 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2748 rundll32.exe 2748 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4872 firefox.exe Token: SeDebugPrivilege 4872 firefox.exe Token: 33 3948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3948 AUDIODG.EXE Token: SeDebugPrivilege 4872 firefox.exe Token: SeDebugPrivilege 4872 firefox.exe Token: SeDebugPrivilege 4872 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 4872 firefox.exe 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE 1744 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4764 wrote to memory of 4872 4764 firefox.exe 69 PID 4872 wrote to memory of 720 4872 firefox.exe 75 PID 4872 wrote to memory of 720 4872 firefox.exe 75 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 4208 4872 firefox.exe 77 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78 PID 4872 wrote to memory of 908 4872 firefox.exe 78
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://buahpinggang.my/emptiness.php1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://buahpinggang.my/emptiness.php2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.0.332011879\1696152514" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1508 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 1612 gpu3⤵PID:720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.3.1045707550\1238288905" -childID 1 -isForBrowser -prefsHandle 2196 -prefMapHandle 2192 -prefsLen 156 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 2204 tab3⤵PID:4208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.13.1368259339\1524521623" -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 7013 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 3236 tab3⤵PID:908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.20.1919350552\1239770975" -childID 3 -isForBrowser -prefsHandle 4236 -prefMapHandle 4256 -prefsLen 8126 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4288 tab3⤵PID:4504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.27.64113736\449692072" -childID 4 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 8437 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 8700 tab3⤵PID:3264
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\0225_27840852049042.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1744 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4308
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dll,PVAXQXJSHTN2⤵
- Process spawned unexpected child process
PID:4648 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dll,PVAXQXJSHTN3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2748 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe4⤵PID:988
-
-
-