Analysis

  • max time kernel
    30s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01/03/2021, 15:55

General

  • Target

    Hs52qascx.dll

  • Size

    136KB

  • MD5

    8d54e98795c459e0263c1d40cbdfc9f8

  • SHA1

    bd444170211a7b1ce4a185846b7928b9c33e547a

  • SHA256

    7bfd59b4c8b046bf15cb408e51ed482a9d19c3d9201d510978b82c9f58cf8e8a

  • SHA512

    addf71dbffb7a553d25cf27e550a0f70630b1324d372648922e4b1ca12892718629ad96c681bb7d5b074960c7c41d39c1eab0d1fa481f929b4091690de233ff3

Malware Config

Extracted

Family

hancitor

Botnet

0103_jepskew

C2

http://ementincied.com/8/forum.php

http://watoredprocaus.ru/8/forum.php

http://noriblerughly.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Hs52qascx.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\Hs52qascx.dll
      2⤵
        PID:1500

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1500-4-0x00000000756A1000-0x00000000756A3000-memory.dmp

            Filesize

            8KB

          • memory/1500-5-0x0000000000140000-0x000000000014A000-memory.dmp

            Filesize

            40KB

          • memory/1500-6-0x0000000000180000-0x0000000000181000-memory.dmp

            Filesize

            4KB

          • memory/1684-2-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

            Filesize

            8KB