Overview

overview

10

Static

static

8

1103_14362...60.doc

windows7_x64

4

1103_14362...60.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1103_14362911310860.doc

  • Size

    575KB

  • Sample

    211103-vwkncsecg4

  • MD5

    03f2cf841f25fd9f0d07f464c2a9133d

  • SHA1

    a80e08c87f07aba1ce1eca5cfcba51d20430f01c

  • SHA256

    d6f2ee94fd715abc31b155c764111e683e6b1209ee4c188a5b360432a32444c9

  • SHA512

    e4d322c9a7c73f0aba31469e768f620041c1cde236792478edc7b9e2288efdadf3f67277c9995fdd70ee255176de208d63fd50aac0fa91bc5f7c6fa7bcc12db5

Score
10/10
hancitor0211_ponxwedownloadermacromacro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

0211_ponxwe

C2

http://mettlybothe.com/8/forum.php

http://herstrairzoj.ru/8/forum.php

http://allonsetkes.ru/8/forum.php

Targets

    • Target

      1103_14362911310860.doc

    • Size

      575KB

    • MD5

      03f2cf841f25fd9f0d07f464c2a9133d

    • SHA1

      a80e08c87f07aba1ce1eca5cfcba51d20430f01c

    • SHA256

      d6f2ee94fd715abc31b155c764111e683e6b1209ee4c188a5b360432a32444c9

    • SHA512

      e4d322c9a7c73f0aba31469e768f620041c1cde236792478edc7b9e2288efdadf3f67277c9995fdd70ee255176de208d63fd50aac0fa91bc5f7c6fa7bcc12db5

    Score
    10/10
    hancitor0211_ponxwedownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks