hancitor | hxxps://buahpinggang[.]my/emptiness[.]php

General

Target

https://buahpinggang.my/emptiness.php
Sample

210225-qx3jez1426

Score

10^/10

hancitor 2502_ser3402 downloader macro macro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

2502_ser3402

C2

http://speritentz.com/8/forum.php

http://afternearde.ru/8/forum.php

http://counivicop.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4648	1744	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

392 2748 rundll32.exe
395 2748 rundll32.exe
397 2748 rundll32.exe

flow	pid	process
392	2748	rundll32.exe
395	2748	rundll32.exe
397	2748	rundll32.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\0225_27840852049042.doc	office_macro_on_action

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2748 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

391 api.ipify.org

pid	process
2748	rundll32.exe

flow	ioc
391	api.ipify.org

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEfirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

Processes:

firefox.exeWINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\Downloads\0225_27840852049042.doc:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{EE5DE73D-0769-41CB-95C0-491D3E9C9741}\Hs52qascx.t0mp:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1744 WINWORD.EXE
1744 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2748 rundll32.exe
2748 rundll32.exe

pid	process
1744	WINWORD.EXE
1744	WINWORD.EXE

pid	process
2748	rundll32.exe
2748	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

firefox.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe
Token: 33	3948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3948	AUDIODG.EXE
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe
Token: SeDebugPrivilege	4872	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
4872 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4872 firefox.exe
4872 firefox.exe
4872 firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

firefox.exeWINWORD.EXE

pid	process
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
4872	firefox.exe
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE
1744	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4764 wrote to memory of 4872	4764	firefox.exe	firefox.exe
PID 4872 wrote to memory of 720	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 720	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 4208	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe
PID 4872 wrote to memory of 908	4872	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://buahpinggang.my/emptiness.php
1⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://buahpinggang.my/emptiness.php
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.0.332011879\1696152514" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1508 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 1612 gpu
3⤵
PID:720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.3.1045707550\1238288905" -childID 1 -isForBrowser -prefsHandle 2196 -prefMapHandle 2192 -prefsLen 156 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 2204 tab
3⤵
PID:4208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.13.1368259339\1524521623" -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 7013 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 3236 tab
3⤵
PID:908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.20.1919350552\1239770975" -childID 3 -isForBrowser -prefsHandle 4236 -prefMapHandle 4256 -prefsLen 8126 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 4288 tab
3⤵
PID:4504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4872.27.64113736\449692072" -childID 4 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 8437 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4872 "\\.\pipe\gecko-crash-server-pipe.4872" 8700 tab
3⤵
PID:3264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\0225_27840852049042.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4308

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dll,PVAXQXJSHTN
2⤵
- Process spawned unexpected child process
PID:4648

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dll,PVAXQXJSHTN
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
4⤵
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\0225_27840852049042.doc
MD5
994f9f36af27509b4a08e43d7df3174b

SHA1
e2836d2f9e67fa9e4eb143bfa7f62e0b3d789fa8

SHA256
a0b22f3949fccda17414c368463f516533361f149b1612c9c0a94efdfe3f6971

SHA512
0130d614d34a13b086c306222f7b9e9a6bfb7a8bf2952191a86482ad197b929340ded1fc7c929e07186b8ef921303fb3fc65f68ee56f0aa85108f66237cb941b

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\word\startup\Static.dll
MD5
d49945a8e31504028a9bcbd7e23ef060

SHA1
95430e0b12ebfc9db59548dd392da1d6147b6f7a

SHA256
f14a66b9438ce0548a5415e6a3897c171397376eca30a01738d76c7db357bc16

SHA512
e3683a1ca7097a2747c87c56da10818c0c1cb46a06b663654ef03167bc62cbe6ad7afc806a2561dcf210c6730842235ef67daf03bba98f80a6f582163e71db64

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Static.dll
MD5
d49945a8e31504028a9bcbd7e23ef060

SHA1
95430e0b12ebfc9db59548dd392da1d6147b6f7a

SHA256
f14a66b9438ce0548a5415e6a3897c171397376eca30a01738d76c7db357bc16

SHA512
e3683a1ca7097a2747c87c56da10818c0c1cb46a06b663654ef03167bc62cbe6ad7afc806a2561dcf210c6730842235ef67daf03bba98f80a6f582163e71db64

Download Submit
memory/720-3-0x0000000000000000-mapping.dmp

Download
memory/908-5-0x0000000000000000-mapping.dmp

Download
memory/1744-23-0x00007FF934190000-0x00007FF936CB3000-memory.dmp

Filesize
43.1MB

Download
memory/1744-26-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/1744-9-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/1744-10-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/1744-11-0x00007FF932A00000-0x00007FF933037000-memory.dmp

Filesize
6.2MB

Download
memory/1744-12-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/1744-8-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/1744-22-0x00007FF934190000-0x00007FF936CB3000-memory.dmp

Filesize
43.1MB

Download
memory/1744-21-0x00007FF934190000-0x00007FF936CB3000-memory.dmp

Filesize
43.1MB

Download
memory/1744-27-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/1744-24-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/1744-20-0x00007FF934190000-0x00007FF936CB3000-memory.dmp

Filesize
43.1MB

Download
memory/1744-25-0x00007FF91BD80000-0x00007FF91BD90000-memory.dmp

Filesize
64KB

Download
memory/2748-18-0x0000000000000000-mapping.dmp

Download
memory/2748-28-0x00000000736C0000-0x00000000736CA000-memory.dmp

Filesize
40KB

Download
memory/2748-29-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3264-7-0x0000000000000000-mapping.dmp

Download
memory/4208-4-0x0000000000000000-mapping.dmp

Download
memory/4308-15-0x0000000002870000-0x0000000002971000-memory.dmp

Filesize
1.0MB

Download
memory/4308-14-0x0000000000000000-mapping.dmp

Download
memory/4504-6-0x0000000000000000-mapping.dmp

Download
memory/4648-16-0x0000000000000000-mapping.dmp

Download
memory/4872-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads