Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04/03/2021, 17:09

General

  • Target

    0304_56958375050481.doc

  • Size

    743KB

  • MD5

    7ba91fe733a2b27af2c602525151305d

  • SHA1

    0c4f2f591db5e0bd0ce580649582f818a9da5179

  • SHA256

    e9e50934dd76164022730125fc00cbe2467afd6e234d2c4873273d4bc6acafe8

  • SHA512

    9d524efdcb0744e3a8b3bf13b234d8e9f595354ad3d143177e2da3ad9248122d403d596e38fa5055150eecc5866257c2f90bf6fdb9309acd5c67321b480ca4aa

Malware Config

Extracted

Family

hancitor

Botnet

0403_nores34

C2

http://throsesspeotte.com/8/forum.php

http://imilifeesinci.ru/8/forum.php

http://publearysuc.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0304_56958375050481.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2776
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,MUSWRRVXHJV
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:3796
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,MUSWRRVXHJV
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\System32\svchost.exe
            4⤵
              PID:3144

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/400-14-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

              Filesize

              4KB

            • memory/400-13-0x0000000074000000-0x000000007400A000-memory.dmp

              Filesize

              40KB

            • memory/2776-8-0x0000000002C00000-0x0000000002D01000-memory.dmp

              Filesize

              1.0MB

            • memory/3144-15-0x0000000000400000-0x0000000000448000-memory.dmp

              Filesize

              288KB

            • memory/3144-17-0x0000000000400000-0x0000000000448000-memory.dmp

              Filesize

              288KB

            • memory/3636-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

              Filesize

              64KB

            • memory/3636-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

              Filesize

              64KB

            • memory/3636-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

              Filesize

              64KB

            • memory/3636-6-0x00000245313D0000-0x0000024531A07000-memory.dmp

              Filesize

              6.2MB

            • memory/3636-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

              Filesize

              64KB