Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02/07/2021, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
triage_dropped_file.dll
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
triage_dropped_file.dll
-
Size
486KB
-
MD5
00be0dadc6df1fa49368d38bebae513a
-
SHA1
787f05d1977300fecc8bc9b1ecc16bc441abe2c4
-
SHA256
21c9472e24da9f476eafe7f8435e93657a9fffed15b75e56f7d45d12f9f1eb86
-
SHA512
8213645036e033b81d544f6434a995e115b4e85e5d7ae10d5a35d19d649c743b2a8c7e915713e2c0935f996c6c0a0518725fc992ddc4ed6634b755d6bd6b0575
Score
10/10
Malware Config
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 7 2044 rundll32.exe 9 2044 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2044 rundll32.exe 2044 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2044 1056 rundll32.exe 26 PID 1056 wrote to memory of 2044 1056 rundll32.exe 26 PID 1056 wrote to memory of 2044 1056 rundll32.exe 26 PID 1056 wrote to memory of 2044 1056 rundll32.exe 26 PID 1056 wrote to memory of 2044 1056 rundll32.exe 26 PID 1056 wrote to memory of 2044 1056 rundll32.exe 26 PID 1056 wrote to memory of 2044 1056 rundll32.exe 26
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2044
-