Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04/03/2021, 17:09
Static task
static1
Behavioral task
behavioral1
Sample
0304_56958375050481.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0304_56958375050481.doc
Resource
win10v20201028
General
-
Target
0304_56958375050481.doc
-
Size
743KB
-
MD5
7ba91fe733a2b27af2c602525151305d
-
SHA1
0c4f2f591db5e0bd0ce580649582f818a9da5179
-
SHA256
e9e50934dd76164022730125fc00cbe2467afd6e234d2c4873273d4bc6acafe8
-
SHA512
9d524efdcb0744e3a8b3bf13b234d8e9f595354ad3d143177e2da3ad9248122d403d596e38fa5055150eecc5866257c2f90bf6fdb9309acd5c67321b480ca4aa
Malware Config
Extracted
hancitor
0403_nores34
http://throsesspeotte.com/8/forum.php
http://imilifeesinci.ru/8/forum.php
http://publearysuc.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3796 3636 rundll32.exe 67 -
Blocklisted process makes network request 3 IoCs
flow pid Process 32 400 rundll32.exe 35 400 rundll32.exe 37 400 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 400 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 400 set thread context of 3144 400 rundll32.exe 84 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{946385A3-0D1F-401D-AF41-D253BEF0B8CA}\msals.pumpl:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3636 WINWORD.EXE 3636 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 400 rundll32.exe 400 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE 3636 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3636 wrote to memory of 2776 3636 WINWORD.EXE 77 PID 3636 wrote to memory of 2776 3636 WINWORD.EXE 77 PID 3636 wrote to memory of 3796 3636 WINWORD.EXE 79 PID 3636 wrote to memory of 3796 3636 WINWORD.EXE 79 PID 3796 wrote to memory of 400 3796 rundll32.exe 80 PID 3796 wrote to memory of 400 3796 rundll32.exe 80 PID 3796 wrote to memory of 400 3796 rundll32.exe 80 PID 400 wrote to memory of 3144 400 rundll32.exe 84 PID 400 wrote to memory of 3144 400 rundll32.exe 84 PID 400 wrote to memory of 3144 400 rundll32.exe 84 PID 400 wrote to memory of 3144 400 rundll32.exe 84 PID 400 wrote to memory of 3144 400 rundll32.exe 84
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0304_56958375050481.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2776
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,MUSWRRVXHJV2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,MUSWRRVXHJV3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe4⤵PID:3144
-
-
-