Analysis
-
max time kernel
13s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02/07/2021, 13:05
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
triage_dropped_file.dll
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
triage_dropped_file.dll
-
Size
486KB
-
MD5
c181d20af08c0c630fa5e2a7b3d564e3
-
SHA1
794eb9a69b1c059d94895dfbba6fa6bdbfb9e336
-
SHA256
344563d0d00d4d81f219a96cea0f87bc2b11f8cedb4ab7ff130a4f0fae42baa5
-
SHA512
9bc38f7aa5de13ba424265967007601ed30b92aceefe9c3fbd297dd81ef015640c46a84758d759c0db842e21cb012fd7c03c0a82e630821ef39b4f349147fb26
Score
10/10
Malware Config
Extracted
Family
hancitor
Botnet
2806_ldfa1
C2
http://raeonoran.com/8/forum.php
http://duclowtionly.ru/8/forum.php
http://unteladenad.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2588 2292 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2588 WerFault.exe Token: SeBackupPrivilege 2588 WerFault.exe Token: SeDebugPrivilege 2588 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3156 wrote to memory of 2292 3156 rundll32.exe 72 PID 3156 wrote to memory of 2292 3156 rundll32.exe 72 PID 3156 wrote to memory of 2292 3156 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#12⤵PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 6563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-