Analysis
-
max time kernel
38s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02/03/2021, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
msals.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
msals.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
msals.dll
-
Size
505KB
-
MD5
741b89c931a77fd51e32aaabed639688
-
SHA1
96ad013d912c27ae60c3ca2cbeb4482900923e31
-
SHA256
46ef7a76af23c6b073fabeb7242c7b5727c379a07cc1081532212e4ba2132abe
-
SHA512
ad23ca238dd639160e6b2361850e6c47d3a155efc7f69e421445ab2dbfdd3942fe1056901274a32f22041fd2004524da62ef3fb6b4299307360ccba9b131bfce
Score
10/10
Malware Config
Extracted
Family
hancitor
Botnet
0203_lisr93
C2
http://witakilateg.com/8/forum.php
http://sonalsovele.ru/8/forum.php
http://duchateman.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3968 640 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3968 WerFault.exe Token: SeBackupPrivilege 3968 WerFault.exe Token: SeDebugPrivilege 3968 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 640 rundll32.exe 640 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3584 wrote to memory of 640 3584 rundll32.exe 69 PID 3584 wrote to memory of 640 3584 rundll32.exe 69 PID 3584 wrote to memory of 640 3584 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.dll,#12⤵
- Suspicious use of SetWindowsHookEx
PID:640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 8683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-