Overview

overview

10

Static

static

8

0714_6667737000.doc

windows10_x64

10

Resubmissions

14-07-2021 22:47

210714-l1qp8zcqwx 10

14-07-2021 22:34

210714-pfs4cxm9c6 10

Analysis

  • max time kernel
    1769s
  • max time network
    1791s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-07-2021 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0714_6667737000.doc

  • Size

    950KB

  • MD5

    ca3863086e54e017e5ee340947357c0c

  • SHA1

    958fd07c6258321c99ceed63910aaf5d961c83a4

  • SHA256

    986aa81b4d67fafde1f7052d5d61025ca059c68516d21d8e4b12f22bfcb68220

  • SHA512

    5b9d82a551fbb4ba3083abad64b786d7dac2d7cd66aa672c0a6474203aa891d6665a8fcee5faec18f956a98858b72e7c22110f1a10e4f7ad80a51828eea7a739

Score
10/10
hancitor1407_bdgtqdownloader

Malware Config

Extracted

Family

hancitor

Botnet

1407_bdgtq

C2

http://wortlybeentax.com/8/forum.php

http://omermancto.ru/8/forum.php

http://metweveer.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 16 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0714_6667737000.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:188
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1524

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\users\admin\appdata\roaming\microsoft\templates\ier.dll
      MD5

      4fa0e6bec5a2f913996fa1e9759370f2

      SHA1

      2410889ab5b865245be493b4bcd5313f63597473

      SHA256

      4843180b19e0c998ef7b02e3be1966d975bec45c9c412719082a042d0c13448c

      SHA512

      81dcebecb60ddda19fc10cee0a4cf692a03842fec85914c066c8ab920b8c07d28c2fcfafc3985649b563f7fcf4dd529e0b252eb7afb21a986c56eaad2f9b6490

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Templates\ier.dll
      MD5

      4fa0e6bec5a2f913996fa1e9759370f2

      SHA1

      2410889ab5b865245be493b4bcd5313f63597473

      SHA256

      4843180b19e0c998ef7b02e3be1966d975bec45c9c412719082a042d0c13448c

      SHA512

      81dcebecb60ddda19fc10cee0a4cf692a03842fec85914c066c8ab920b8c07d28c2fcfafc3985649b563f7fcf4dd529e0b252eb7afb21a986c56eaad2f9b6490

      Download Submit
    • memory/188-258-0x0000000000000000-mapping.dmp
      Download
    • memory/1524-323-0x00000000027F0000-0x00000000027F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1524-322-0x00000000735F0000-0x00000000735FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1524-285-0x0000000000000000-mapping.dmp
      Download
    • memory/2416-279-0x0000000000000000-mapping.dmp
      Download
    • memory/3968-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3968-123-0x00007FFDBC0C0000-0x00007FFDBDFB5000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/3968-122-0x00007FFDBDFC0000-0x00007FFDBF0AE000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/3968-118-0x00007FFDC4560000-0x00007FFDC7083000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/3968-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3968-114-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3968-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3968-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
      Filesize

      64KB

      Download