Overview

overview

10

Static

static

8

1123_23395...72.doc

windows7_x64

4

1123_23395...72.doc

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    23-11-2021 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1123_2339546126972.doc

  • Size

    893KB

  • MD5

    ca52b8e88308d2d3147b0721d6d72626

  • SHA1

    e91c2de24abae6a37f6572b70685a3ce25fe821e

  • SHA256

    a2903ebc67c3549f59ecf6718444f6826030fa29f3701460b9709edbd9aa675b

  • SHA512

    763d1205b1dcb84ffbf59f1ff61a62175a058b6c2d5994d5575ad900b195ee74a085937c6dc669ddb42a2f6a7f45f391d0e4c0b10307ec860ef52c7991f3b6b8

Score
10/10
hancitor2311_nsdirdownloader

Malware Config

Extracted

Family

hancitor

Botnet

2311_nsdir

C2

http://templogio.com/9/forum.php

http://johommeract.ru/9/forum.php

http://amesibiquand.ru/9/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1123_2339546126972.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3128
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c ping localhost -n 10 & rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Windows\system32\PING.EXE
          ping localhost -n 10
          3⤵
          • Runs ping.exe
          PID:3496
        • C:\Windows\system32\rundll32.exe
          rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            PID:2108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2108-410-0x0000000010000000-0x0000000010204000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2108-409-0x00000000009E0000-0x00000000009E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2676-122-0x00000278C80C0000-0x00000278C80C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2676-125-0x00000278C80C0000-0x00000278C80C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2676-124-0x00007FFD30F30000-0x00007FFD30F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-123-0x00000278C80C0000-0x00000278C80C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2676-118-0x00007FFD30F30000-0x00007FFD30F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-121-0x00007FFD30F30000-0x00007FFD30F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-120-0x00007FFD30F30000-0x00007FFD30F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-119-0x00007FFD30F30000-0x00007FFD30F40000-memory.dmp

      Filesize

      64KB

      Download