Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    02/07/2021, 13:05

General

  • Target

    triage_dropped_file.dll

  • Size

    486KB

  • MD5

    00be0dadc6df1fa49368d38bebae513a

  • SHA1

    787f05d1977300fecc8bc9b1ecc16bc441abe2c4

  • SHA256

    21c9472e24da9f476eafe7f8435e93657a9fffed15b75e56f7d45d12f9f1eb86

  • SHA512

    8213645036e033b81d544f6434a995e115b4e85e5d7ae10d5a35d19d649c743b2a8c7e915713e2c0935f996c6c0a0518725fc992ddc4ed6634b755d6bd6b0575

Malware Config

Extracted

Family

hancitor

Botnet

2806_ldfa1

C2

http://raeonoran.com/8/forum.php

http://duclowtionly.ru/8/forum.php

http://unteladenad.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Blocklisted process makes network request 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2032-61-0x00000000762C1000-0x00000000762C3000-memory.dmp

    Filesize

    8KB

  • memory/2032-62-0x0000000000760000-0x00000000007DE000-memory.dmp

    Filesize

    504KB

  • memory/2032-63-0x00000000001C0000-0x00000000001C8000-memory.dmp

    Filesize

    32KB

  • memory/2032-64-0x0000000000280000-0x000000000028A000-memory.dmp

    Filesize

    40KB