Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02/03/2021, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
msals.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
msals.dll
Resource
win10v20201028
General
-
Target
msals.dll
-
Size
505KB
-
MD5
741b89c931a77fd51e32aaabed639688
-
SHA1
96ad013d912c27ae60c3ca2cbeb4482900923e31
-
SHA256
46ef7a76af23c6b073fabeb7242c7b5727c379a07cc1081532212e4ba2132abe
-
SHA512
ad23ca238dd639160e6b2361850e6c47d3a155efc7f69e421445ab2dbfdd3942fe1056901274a32f22041fd2004524da62ef3fb6b4299307360ccba9b131bfce
Malware Config
Extracted
hancitor
0203_lisr93
http://witakilateg.com/8/forum.php
http://sonalsovele.ru/8/forum.php
http://duchateman.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 7 1628 rundll32.exe 9 1628 rundll32.exe 11 1628 rundll32.exe 23 1628 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1628 set thread context of 552 1628 rundll32.exe 32 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1628 rundll32.exe 1628 rundll32.exe 1628 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1628 rundll32.exe 1628 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1628 2044 rundll32.exe 25 PID 2044 wrote to memory of 1628 2044 rundll32.exe 25 PID 2044 wrote to memory of 1628 2044 rundll32.exe 25 PID 2044 wrote to memory of 1628 2044 rundll32.exe 25 PID 2044 wrote to memory of 1628 2044 rundll32.exe 25 PID 2044 wrote to memory of 1628 2044 rundll32.exe 25 PID 2044 wrote to memory of 1628 2044 rundll32.exe 25 PID 1628 wrote to memory of 552 1628 rundll32.exe 32 PID 1628 wrote to memory of 552 1628 rundll32.exe 32 PID 1628 wrote to memory of 552 1628 rundll32.exe 32 PID 1628 wrote to memory of 552 1628 rundll32.exe 32 PID 1628 wrote to memory of 552 1628 rundll32.exe 32 PID 1628 wrote to memory of 552 1628 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵PID:552
-
-