Analysis

  • max time kernel
    97s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01/03/2021, 15:55

General

  • Target

    Hs52qascx.dll

  • Size

    136KB

  • MD5

    8d54e98795c459e0263c1d40cbdfc9f8

  • SHA1

    bd444170211a7b1ce4a185846b7928b9c33e547a

  • SHA256

    7bfd59b4c8b046bf15cb408e51ed482a9d19c3d9201d510978b82c9f58cf8e8a

  • SHA512

    addf71dbffb7a553d25cf27e550a0f70630b1324d372648922e4b1ca12892718629ad96c681bb7d5b074960c7c41d39c1eab0d1fa481f929b4091690de233ff3

Malware Config

Extracted

Family

hancitor

Botnet

0103_jepskew

C2

http://ementincied.com/8/forum.php

http://watoredprocaus.ru/8/forum.php

http://noriblerughly.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Hs52qascx.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\Hs52qascx.dll
      2⤵
        PID:4848

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4848-3-0x0000000002841000-0x0000000002856000-memory.dmp

            Filesize

            84KB

          • memory/4848-4-0x0000000002840000-0x000000000284A000-memory.dmp

            Filesize

            40KB

          • memory/4848-5-0x0000000002820000-0x0000000002821000-memory.dmp

            Filesize

            4KB