Analysis
-
max time kernel
108s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02/03/2021, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
Static.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Static.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
Static.dll
-
Size
505KB
-
MD5
88cd2507c2e10e4e27318497809ff4a3
-
SHA1
33db82f09c064c7bab56edbd524e766ca9b51ab9
-
SHA256
bc5143aac84401fa5c3ff649b6b756aa64975a6371a84e14de6420704b703610
-
SHA512
bfc35f6cc693924281a5c771d2035925af6d4e0b4c12810a30b1c3e6ea163e2622a7e83a7a875af9424a21dfc181aabe31b54ad5586f8db34612e9f8828028de
Score
10/10
Malware Config
Extracted
Family
hancitor
Botnet
0203_lisr93
C2
http://witakilateg.com/8/forum.php
http://sonalsovele.ru/8/forum.php
http://duchateman.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3800 408 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3800 WerFault.exe Token: SeBackupPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 3800 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 408 rundll32.exe 408 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 640 wrote to memory of 408 640 rundll32.exe 70 PID 640 wrote to memory of 408 640 rundll32.exe 70 PID 640 wrote to memory of 408 640 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Static.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Static.dll,#12⤵
- Suspicious use of SetWindowsHookEx
PID:408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 8643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-