Analysis

  • max time kernel
    20s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    02/07/2021, 12:08

General

  • Target

    triage_dropped_file.dll

  • Size

    486KB

  • MD5

    00be0dadc6df1fa49368d38bebae513a

  • SHA1

    787f05d1977300fecc8bc9b1ecc16bc441abe2c4

  • SHA256

    21c9472e24da9f476eafe7f8435e93657a9fffed15b75e56f7d45d12f9f1eb86

  • SHA512

    8213645036e033b81d544f6434a995e115b4e85e5d7ae10d5a35d19d649c743b2a8c7e915713e2c0935f996c6c0a0518725fc992ddc4ed6634b755d6bd6b0575

Malware Config

Extracted

Family

hancitor

Botnet

2806_ldfa1

C2

http://raeonoran.com/8/forum.php

http://duclowtionly.ru/8/forum.php

http://unteladenad.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
      2⤵
        PID:1628
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 652
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2484

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1628-117-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

      Filesize

      40KB

    • memory/1628-116-0x0000000000F40000-0x0000000000F48000-memory.dmp

      Filesize

      32KB