Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02/07/2021, 13:05
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
triage_dropped_file.dll
Resource
win10v20210410
General
-
Target
triage_dropped_file.dll
-
Size
486KB
-
MD5
00be0dadc6df1fa49368d38bebae513a
-
SHA1
787f05d1977300fecc8bc9b1ecc16bc441abe2c4
-
SHA256
21c9472e24da9f476eafe7f8435e93657a9fffed15b75e56f7d45d12f9f1eb86
-
SHA512
8213645036e033b81d544f6434a995e115b4e85e5d7ae10d5a35d19d649c743b2a8c7e915713e2c0935f996c6c0a0518725fc992ddc4ed6634b755d6bd6b0575
Malware Config
Extracted
hancitor
2806_ldfa1
http://raeonoran.com/8/forum.php
http://duclowtionly.ru/8/forum.php
http://unteladenad.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 7 2032 rundll32.exe 9 2032 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2032 rundll32.exe 2032 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1348 wrote to memory of 2032 1348 rundll32.exe 25 PID 1348 wrote to memory of 2032 1348 rundll32.exe 25 PID 1348 wrote to memory of 2032 1348 rundll32.exe 25 PID 1348 wrote to memory of 2032 1348 rundll32.exe 25 PID 1348 wrote to memory of 2032 1348 rundll32.exe 25 PID 1348 wrote to memory of 2032 1348 rundll32.exe 25 PID 1348 wrote to memory of 2032 1348 rundll32.exe 25
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2032
-