Overview

overview

10

Static

static

8

9532743ba2...fa.doc

windows7_x64

4

9532743ba2...fa.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa.doc

  • Size

    322KB

  • MD5

    4ca02d884e80c7333257d762e6964805

  • SHA1

    85c47af2826ab8979b09df68a1ff5a7cb35fed42

  • SHA256

    9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa

  • SHA512

    e40819c9090c793644bfb52bba15ba346a20bbd2027dcd1e02935433777f8a3c8dc15dce278514ca024b35f559399b82d0419a390c674bcf7d93a463f1907980

Score
10/10
hancitor1609_dkytrdownloaderpersistence

Malware Config

Extracted

Family

hancitor

Botnet

1609_dkytr

C2

http://plivatecez.com/8/forum.php

http://agarreaters.ru/8/forum.php

http://weratiands.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2104
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\hhhh.mp3,TOCGYOIJGAJ
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\hhhh.mp3,TOCGYOIJGAJ
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:628
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:3872
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 43730b6294f5ced4732156264fa1bf67 J6v8hJj9zU2k/m5PH3DSew.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:448

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/628-371-0x0000000074AF0000-0x0000000074B30000-memory.dmp

        Filesize

        256KB

        Download

      • memory/628-372-0x0000000074AF0000-0x0000000074AFA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/628-373-0x0000000004860000-0x0000000004861000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3724-130-0x00007FFE769D0000-0x00007FFE769E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3724-131-0x00007FFE769D0000-0x00007FFE769E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3724-132-0x00007FFE769D0000-0x00007FFE769E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3724-133-0x00007FFE769D0000-0x00007FFE769E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3724-134-0x00007FFE769D0000-0x00007FFE769E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3724-137-0x00007FFE74840000-0x00007FFE74850000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3724-138-0x00007FFE74840000-0x00007FFE74850000-memory.dmp

        Filesize

        64KB

        Download