Analysis
-
max time kernel
20s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02/07/2021, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
triage_dropped_file.dll
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
triage_dropped_file.dll
-
Size
486KB
-
MD5
00be0dadc6df1fa49368d38bebae513a
-
SHA1
787f05d1977300fecc8bc9b1ecc16bc441abe2c4
-
SHA256
21c9472e24da9f476eafe7f8435e93657a9fffed15b75e56f7d45d12f9f1eb86
-
SHA512
8213645036e033b81d544f6434a995e115b4e85e5d7ae10d5a35d19d649c743b2a8c7e915713e2c0935f996c6c0a0518725fc992ddc4ed6634b755d6bd6b0575
Score
10/10
Malware Config
Extracted
Family
hancitor
Botnet
2806_ldfa1
C2
http://raeonoran.com/8/forum.php
http://duclowtionly.ru/8/forum.php
http://unteladenad.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2484 1628 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe 2484 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2484 WerFault.exe Token: SeBackupPrivilege 2484 WerFault.exe Token: SeDebugPrivilege 2484 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3492 wrote to memory of 1628 3492 rundll32.exe 70 PID 3492 wrote to memory of 1628 3492 rundll32.exe 70 PID 3492 wrote to memory of 1628 3492 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#12⤵PID:1628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 6523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-