Analysis
-
max time kernel
1769s -
max time network
1791s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-07-2021 22:47
Static task
static1
Behavioral task
behavioral1
Sample
0714_6667737000.doc
Resource
win10v20210410
General
-
Target
0714_6667737000.doc
-
Size
950KB
-
MD5
ca3863086e54e017e5ee340947357c0c
-
SHA1
958fd07c6258321c99ceed63910aaf5d961c83a4
-
SHA256
986aa81b4d67fafde1f7052d5d61025ca059c68516d21d8e4b12f22bfcb68220
-
SHA512
5b9d82a551fbb4ba3083abad64b786d7dac2d7cd66aa672c0a6474203aa891d6665a8fcee5faec18f956a98858b72e7c22110f1a10e4f7ad80a51828eea7a739
Malware Config
Extracted
hancitor
1407_bdgtq
http://wortlybeentax.com/8/forum.php
http://omermancto.ru/8/forum.php
http://metweveer.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2416 3968 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 16 IoCs
Processes:
rundll32.exeflow pid process 31 1524 rundll32.exe 33 1524 rundll32.exe 37 1524 rundll32.exe 38 1524 rundll32.exe 43 1524 rundll32.exe 44 1524 rundll32.exe 45 1524 rundll32.exe 46 1524 rundll32.exe 47 1524 rundll32.exe 48 1524 rundll32.exe 49 1524 rundll32.exe 56 1524 rundll32.exe 57 1524 rundll32.exe 58 1524 rundll32.exe 59 1524 rundll32.exe 60 1524 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1524 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{740B261C-B7D4-488F-9C2A-027B8256B5CF}\ter.dll:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
rundll32.exepid process 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe 1524 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 3968 wrote to memory of 188 3968 WINWORD.EXE splwow64.exe PID 3968 wrote to memory of 188 3968 WINWORD.EXE splwow64.exe PID 3968 wrote to memory of 2416 3968 WINWORD.EXE rundll32.exe PID 3968 wrote to memory of 2416 3968 WINWORD.EXE rundll32.exe PID 2416 wrote to memory of 1524 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 1524 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 1524 2416 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0714_6667737000.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\users\admin\appdata\roaming\microsoft\templates\ier.dllMD5
4fa0e6bec5a2f913996fa1e9759370f2
SHA12410889ab5b865245be493b4bcd5313f63597473
SHA2564843180b19e0c998ef7b02e3be1966d975bec45c9c412719082a042d0c13448c
SHA51281dcebecb60ddda19fc10cee0a4cf692a03842fec85914c066c8ab920b8c07d28c2fcfafc3985649b563f7fcf4dd529e0b252eb7afb21a986c56eaad2f9b6490
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\ier.dllMD5
4fa0e6bec5a2f913996fa1e9759370f2
SHA12410889ab5b865245be493b4bcd5313f63597473
SHA2564843180b19e0c998ef7b02e3be1966d975bec45c9c412719082a042d0c13448c
SHA51281dcebecb60ddda19fc10cee0a4cf692a03842fec85914c066c8ab920b8c07d28c2fcfafc3985649b563f7fcf4dd529e0b252eb7afb21a986c56eaad2f9b6490
-
memory/188-258-0x0000000000000000-mapping.dmp
-
memory/1524-323-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/1524-322-0x00000000735F0000-0x00000000735FA000-memory.dmpFilesize
40KB
-
memory/1524-285-0x0000000000000000-mapping.dmp
-
memory/2416-279-0x0000000000000000-mapping.dmp
-
memory/3968-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-123-0x00007FFDBC0C0000-0x00007FFDBDFB5000-memory.dmpFilesize
31.0MB
-
memory/3968-122-0x00007FFDBDFC0000-0x00007FFDBF0AE000-memory.dmpFilesize
16.9MB
-
memory/3968-118-0x00007FFDC4560000-0x00007FFDC7083000-memory.dmpFilesize
43.1MB
-
memory/3968-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-114-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB