Malware Analysis Report

2025-06-16 05:23

Sample ID 210401-dqgxp5tskn
Target msals.pumpl.dll
SHA256 8e73bfc2ac13b61960a5a2213198c2b0ee76774acb4fe9a02f972ec6d006bd8a
Tags
hancitor 0104_verf1 downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e73bfc2ac13b61960a5a2213198c2b0ee76774acb4fe9a02f972ec6d006bd8a

Threat Level: Known bad

The file msals.pumpl.dll was found to be: Known bad.

Malicious Activity Summary

hancitor 0104_verf1 downloader

Hancitor

Blocklisted process makes network request

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-04-01 14:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-04-01 14:51

Reported

2021-04-01 14:54

Platform

win7v20201028

Max time kernel

72s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1364 set thread context of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1364 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1364 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1364 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1364 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1364 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1364 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe
PID 1120 wrote to memory of 1172 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 1120 wrote to memory of 1172 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 1120 wrote to memory of 1172 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 1120 wrote to memory of 1172 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 880

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.48.44:80 api.ipify.org tcp
N/A 8.8.8.8:53 cilidobas.com udp
N/A 88.85.89.108:80 cilidobas.com tcp
N/A 8.8.8.8:53 pipopetfiu.ru udp
N/A 8.208.95.92:80 pipopetfiu.ru tcp
N/A 23.21.48.44:80 api.ipify.org tcp

Files

memory/1364-2-0x0000000000000000-mapping.dmp

memory/1364-3-0x0000000075C31000-0x0000000075C33000-memory.dmp

memory/1364-4-0x0000000075420000-0x000000007542A000-memory.dmp

memory/1364-5-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1992-6-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmp

memory/1120-7-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1120-8-0x0000000000401480-mapping.dmp

memory/1120-10-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1172-11-0x0000000000000000-mapping.dmp

memory/1172-12-0x0000000002000000-0x0000000002011000-memory.dmp

memory/1172-13-0x0000000000440000-0x0000000000441000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-04-01 14:51

Reported

2021-04-01 14:55

Platform

win10v20201028

Max time kernel

145s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3264 set thread context of 1316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msals.pumpl.dll,#1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 52.109.12.18:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.157.230:80 api.ipify.org tcp
N/A 8.8.8.8:53 cilidobas.com udp
N/A 88.85.89.108:80 cilidobas.com tcp
N/A 8.8.8.8:53 pipopetfiu.ru udp
N/A 8.208.95.92:80 pipopetfiu.ru tcp
N/A 54.225.157.230:80 api.ipify.org tcp
N/A 8.8.8.8:53 sweyblidian.com udp
N/A 185.100.65.29:80 sweyblidian.com tcp
N/A 185.100.65.29:80 sweyblidian.com tcp
N/A 185.100.65.29:80 sweyblidian.com tcp
N/A 185.100.65.29:80 sweyblidian.com tcp
N/A 185.100.65.29:80 sweyblidian.com tcp
N/A 185.100.65.29:80 sweyblidian.com tcp

Files

memory/3264-2-0x0000000000000000-mapping.dmp

memory/3264-3-0x0000000074220000-0x000000007422A000-memory.dmp

memory/3264-4-0x0000000002970000-0x0000000002971000-memory.dmp

memory/1316-5-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1316-6-0x0000000000401480-mapping.dmp

memory/1316-7-0x0000000000400000-0x0000000000448000-memory.dmp