Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04/03/2021, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
0304_56958375050481.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0304_56958375050481.doc
Resource
win10v20201028
General
-
Target
0304_56958375050481.doc
-
Size
743KB
-
MD5
7ba91fe733a2b27af2c602525151305d
-
SHA1
0c4f2f591db5e0bd0ce580649582f818a9da5179
-
SHA256
e9e50934dd76164022730125fc00cbe2467afd6e234d2c4873273d4bc6acafe8
-
SHA512
9d524efdcb0744e3a8b3bf13b234d8e9f595354ad3d143177e2da3ad9248122d403d596e38fa5055150eecc5866257c2f90bf6fdb9309acd5c67321b480ca4aa
Malware Config
Extracted
hancitor
0403_nores34
http://throsesspeotte.com/8/forum.php
http://imilifeesinci.ru/8/forum.php
http://publearysuc.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1212 1404 rundll32.exe 59 -
Blocklisted process makes network request 3 IoCs
flow pid Process 31 188 rundll32.exe 33 188 rundll32.exe 35 188 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 188 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 188 set thread context of 3892 188 rundll32.exe 85 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{C235BA9C-12FA-4330-BDEE-88F7BD8A1DA1}\msals.pumpl:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1404 WINWORD.EXE 1404 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 188 rundll32.exe 188 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1404 wrote to memory of 2712 1404 WINWORD.EXE 78 PID 1404 wrote to memory of 2712 1404 WINWORD.EXE 78 PID 1404 wrote to memory of 1212 1404 WINWORD.EXE 80 PID 1404 wrote to memory of 1212 1404 WINWORD.EXE 80 PID 1212 wrote to memory of 188 1212 rundll32.exe 81 PID 1212 wrote to memory of 188 1212 rundll32.exe 81 PID 1212 wrote to memory of 188 1212 rundll32.exe 81 PID 188 wrote to memory of 3892 188 rundll32.exe 85 PID 188 wrote to memory of 3892 188 rundll32.exe 85 PID 188 wrote to memory of 3892 188 rundll32.exe 85 PID 188 wrote to memory of 3892 188 rundll32.exe 85 PID 188 wrote to memory of 3892 188 rundll32.exe 85
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0304_56958375050481.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2712
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,MUSWRRVXHJV2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,MUSWRRVXHJV3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe4⤵PID:3892
-
-
-