Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    02/07/2021, 12:08

General

  • Target

    triage_dropped_file.dll

  • Size

    486KB

  • MD5

    00be0dadc6df1fa49368d38bebae513a

  • SHA1

    787f05d1977300fecc8bc9b1ecc16bc441abe2c4

  • SHA256

    21c9472e24da9f476eafe7f8435e93657a9fffed15b75e56f7d45d12f9f1eb86

  • SHA512

    8213645036e033b81d544f6434a995e115b4e85e5d7ae10d5a35d19d649c743b2a8c7e915713e2c0935f996c6c0a0518725fc992ddc4ed6634b755d6bd6b0575

Score
10/10

Malware Config

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Blocklisted process makes network request 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2044-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

  • memory/2044-61-0x00000000006F0000-0x000000000076E000-memory.dmp

    Filesize

    504KB

  • memory/2044-62-0x0000000000150000-0x00000000001CE000-memory.dmp

    Filesize

    504KB

  • memory/2044-63-0x0000000000150000-0x00000000001CE000-memory.dmp

    Filesize

    504KB