Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02/03/2021, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
Static.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Static.dll
Resource
win10v20201028
General
-
Target
Static.dll
-
Size
505KB
-
MD5
88cd2507c2e10e4e27318497809ff4a3
-
SHA1
33db82f09c064c7bab56edbd524e766ca9b51ab9
-
SHA256
bc5143aac84401fa5c3ff649b6b756aa64975a6371a84e14de6420704b703610
-
SHA512
bfc35f6cc693924281a5c771d2035925af6d4e0b4c12810a30b1c3e6ea163e2622a7e83a7a875af9424a21dfc181aabe31b54ad5586f8db34612e9f8828028de
Malware Config
Extracted
hancitor
0203_lisr93
http://witakilateg.com/8/forum.php
http://sonalsovele.ru/8/forum.php
http://duchateman.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 7 2012 rundll32.exe 9 2012 rundll32.exe 11 2012 rundll32.exe 23 2012 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2012 set thread context of 1684 2012 rundll32.exe 32 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2012 rundll32.exe 2012 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 804 wrote to memory of 2012 804 rundll32.exe 25 PID 804 wrote to memory of 2012 804 rundll32.exe 25 PID 804 wrote to memory of 2012 804 rundll32.exe 25 PID 804 wrote to memory of 2012 804 rundll32.exe 25 PID 804 wrote to memory of 2012 804 rundll32.exe 25 PID 804 wrote to memory of 2012 804 rundll32.exe 25 PID 804 wrote to memory of 2012 804 rundll32.exe 25 PID 2012 wrote to memory of 1684 2012 rundll32.exe 32 PID 2012 wrote to memory of 1684 2012 rundll32.exe 32 PID 2012 wrote to memory of 1684 2012 rundll32.exe 32 PID 2012 wrote to memory of 1684 2012 rundll32.exe 32 PID 2012 wrote to memory of 1684 2012 rundll32.exe 32 PID 2012 wrote to memory of 1684 2012 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Static.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Static.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵PID:1684
-
-