Analysis

  • max time kernel
    58s
  • max time network
    105s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03/03/2021, 16:27

General

  • Target

    Static.dll

  • Size

    169KB

  • MD5

    541f0ae61eaa22bc5eeca8351f9e76e3

  • SHA1

    9c52ae468d81fceaf09c8f1fc166a6b6ffdc9225

  • SHA256

    492ed4c57dbe80c20cc0749ff91da5d9f2b3c5b95ae24ac8822b242cb51f9d5a

  • SHA512

    7bf98a7a1530e3f407c0b4fb0d4c4fb6cc8d3e6b462bc0bd99f5daf1568041dbe1d5c0acf4422c62f05bb4070e33446f0195f5154da1566899eb9dbc8af47f5e

Malware Config

Extracted

Family

hancitor

Botnet

0303_trew30

C2

http://mainctional.com/8/forum.php

http://disrulaytin.ru/8/forum.php

http://puldefletat.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Static.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\Static.dll
      2⤵
        PID:1756

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1756-3-0x0000000073E60000-0x0000000073E6A000-memory.dmp

            Filesize

            40KB

          • memory/1756-4-0x0000000002B90000-0x0000000002B91000-memory.dmp

            Filesize

            4KB