Analysis
-
max time kernel
72s -
max time network
114s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01/04/2021, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
msals.pumpl.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
msals.pumpl.dll
Resource
win10v20201028
General
-
Target
msals.pumpl.dll
-
Size
360KB
-
MD5
5a7d31a2f95b5453756b0143f5845824
-
SHA1
bbae23a96a04293fd0cbe0d4425a9ac617be6283
-
SHA256
8e73bfc2ac13b61960a5a2213198c2b0ee76774acb4fe9a02f972ec6d006bd8a
-
SHA512
352b04b1a0707dffc71f8e113ed423b4676caddddc9e475065ab32f4824b89a58d5b68f0d3e39ee240b219de4f969c95f909585681cba991c4e4ea397b537e63
Malware Config
Extracted
hancitor
0104_verf1
http://cilidobas.com/8/forum.php
http://onvoursmo.ru/8/forum.php
http://bilematicdu.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 1364 rundll32.exe 8 1364 rundll32.exe 10 1364 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1364 set thread context of 1120 1364 rundll32.exe 32 -
Program crash 1 IoCs
pid pid_target Process procid_target 1172 1120 WerFault.exe 32 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1364 rundll32.exe 1364 rundll32.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe 1172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1172 WerFault.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1364 2032 rundll32.exe 25 PID 2032 wrote to memory of 1364 2032 rundll32.exe 25 PID 2032 wrote to memory of 1364 2032 rundll32.exe 25 PID 2032 wrote to memory of 1364 2032 rundll32.exe 25 PID 2032 wrote to memory of 1364 2032 rundll32.exe 25 PID 2032 wrote to memory of 1364 2032 rundll32.exe 25 PID 2032 wrote to memory of 1364 2032 rundll32.exe 25 PID 1364 wrote to memory of 1120 1364 rundll32.exe 32 PID 1364 wrote to memory of 1120 1364 rundll32.exe 32 PID 1364 wrote to memory of 1120 1364 rundll32.exe 32 PID 1364 wrote to memory of 1120 1364 rundll32.exe 32 PID 1364 wrote to memory of 1120 1364 rundll32.exe 32 PID 1364 wrote to memory of 1120 1364 rundll32.exe 32 PID 1120 wrote to memory of 1172 1120 svchost.exe 33 PID 1120 wrote to memory of 1172 1120 svchost.exe 33 PID 1120 wrote to memory of 1172 1120 svchost.exe 33 PID 1120 wrote to memory of 1172 1120 svchost.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 8804⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
-