Overview

overview

10

Static

static

help.doc

windows7_x64

4

help.doc

windows10-2004_x64

10

Resubmissions

31-01-2022 17:33

220131-v42a3sadfj 10

31-01-2022 17:25

220131-vzcrxsadam 8

Analysis

  • max time kernel
    153s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    help.doc

  • Size

    735KB

  • MD5

    271666888b46008b726d889c40f5e92c

  • SHA1

    5ac08cbdf22aa6a376c51da037aeab03392ee009

  • SHA256

    f6375e696e2e5b3b738346a86a19991eccf89be18e731807114d87fedf77f415

  • SHA512

    af6cc3e91d78c985813484d13eeeaf4026b82c49f4c6536f51f64b25e8702aca01de79db25c2fb37a47af1da51c320d573e03097c243fa6aaac952bed6c7cc16

Score
10/10
hancitor3101_sjiuwedownloaderpersistence

Malware Config

Extracted

Family

hancitor

Botnet

3101_sjiuwe

C2

http://cinenmera.com/9/forum.php

http://biquagin.ru/9/forum.php

http://joirwsin.ru/9/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\help.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2368
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c cd c:\users\admin\appdata\roaming\microsoft\templates && ping localhost -n 10 && c:\users\admin\appdata\roaming\microsoft\templates/1.bat
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\system32\PING.EXE
          ping localhost -n 10
          3⤵
          • Runs ping.exe
          PID:3104
        • C:\Windows\system32\cmd.exe
          cmd.exe /c ping localhost -n 10
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Windows\system32\PING.EXE
            ping localhost -n 10
            4⤵
            • Runs ping.exe
            PID:1640
        • C:\Windows\system32\rundll32.exe
          rundll32.exe iff.bin,NKBBAYRMEIHGRIM
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe iff.bin,NKBBAYRMEIHGRIM
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:3448
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:3744
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe eb7f796056fe6d4a827198a2c7d3d8b5 TBo7b32vUkOXZ7eVEHrhRg.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:2808

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/792-134-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-130-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-137-0x00007FF919850000-0x00007FF919860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-138-0x00007FF919850000-0x00007FF919860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-373-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-374-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-375-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-376-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-133-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-132-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/792-131-0x00007FF91BBB0000-0x00007FF91BBC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3448-380-0x0000000002D40000-0x0000000002D47000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3448-381-0x0000000002D60000-0x0000000002D68000-memory.dmp

        Filesize

        32KB

        Download