Analysis
-
max time kernel
90s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02/07/2021, 13:05
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
triage_dropped_file.dll
Resource
win10v20210410
General
-
Target
triage_dropped_file.dll
-
Size
486KB
-
MD5
c181d20af08c0c630fa5e2a7b3d564e3
-
SHA1
794eb9a69b1c059d94895dfbba6fa6bdbfb9e336
-
SHA256
344563d0d00d4d81f219a96cea0f87bc2b11f8cedb4ab7ff130a4f0fae42baa5
-
SHA512
9bc38f7aa5de13ba424265967007601ed30b92aceefe9c3fbd297dd81ef015640c46a84758d759c0db842e21cb012fd7c03c0a82e630821ef39b4f349147fb26
Malware Config
Extracted
hancitor
2806_ldfa1
http://raeonoran.com/8/forum.php
http://duclowtionly.ru/8/forum.php
http://unteladenad.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 6 1476 rundll32.exe 8 1476 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1476 rundll32.exe 1476 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 760 wrote to memory of 1476 760 rundll32.exe 27 PID 760 wrote to memory of 1476 760 rundll32.exe 27 PID 760 wrote to memory of 1476 760 rundll32.exe 27 PID 760 wrote to memory of 1476 760 rundll32.exe 27 PID 760 wrote to memory of 1476 760 rundll32.exe 27 PID 760 wrote to memory of 1476 760 rundll32.exe 27 PID 760 wrote to memory of 1476 760 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1476
-