Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01/04/2021, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
msals.pumpl.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
msals.pumpl.dll
Resource
win10v20201028
General
-
Target
msals.pumpl.dll
-
Size
360KB
-
MD5
5a7d31a2f95b5453756b0143f5845824
-
SHA1
bbae23a96a04293fd0cbe0d4425a9ac617be6283
-
SHA256
8e73bfc2ac13b61960a5a2213198c2b0ee76774acb4fe9a02f972ec6d006bd8a
-
SHA512
352b04b1a0707dffc71f8e113ed423b4676caddddc9e475065ab32f4824b89a58d5b68f0d3e39ee240b219de4f969c95f909585681cba991c4e4ea397b537e63
Malware Config
Extracted
hancitor
0104_verf1
http://cilidobas.com/8/forum.php
http://onvoursmo.ru/8/forum.php
http://bilematicdu.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 25 3264 rundll32.exe 27 3264 rundll32.exe 29 3264 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3264 set thread context of 1316 3264 rundll32.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3264 rundll32.exe 3264 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 580 wrote to memory of 3264 580 rundll32.exe 47 PID 580 wrote to memory of 3264 580 rundll32.exe 47 PID 580 wrote to memory of 3264 580 rundll32.exe 47 PID 3264 wrote to memory of 1316 3264 rundll32.exe 80 PID 3264 wrote to memory of 1316 3264 rundll32.exe 80 PID 3264 wrote to memory of 1316 3264 rundll32.exe 80 PID 3264 wrote to memory of 1316 3264 rundll32.exe 80 PID 3264 wrote to memory of 1316 3264 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵PID:1316
-
-