hancitor | 8c96d5c65053baa59e62bcce2319d520c20feb87d2af5a48b39f58c940e602c9

Analysis

max time kernel
140s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
16-02-2022 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

moexx.dll
Size

1.2MB
MD5

d45abc73d387c5c660733ef9e9802abf
SHA1

dbe52585fb8a4a83dda437cd435e65e7f53da174
SHA256

8c96d5c65053baa59e62bcce2319d520c20feb87d2af5a48b39f58c940e602c9
SHA512

47282bd781ede4c520d4eb39160e67fc25b56921506c9fbb57c32b1fafd4cb343c80a538c1564d480fa51f03cff290cd90ff069c525bf4e7bbb7330187de57b5

Score

10^/10

hancitor 1402_dfjk23 downloader

Malware Config

Extracted

Family

hancitor

Botnet

1402_dfjk23

http://binetetakoz.com/9/forum.php

http://tatalously.ru/9/forum.php

http://veletionro.ru/9/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3564 created 4820	3564	WerFault.exe	81

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5052	4820	WerFault.exe	81

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	WerFault.exe
5052	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5052	WerFault.exe
Token: SeBackupPrivilege	5052	WerFault.exe
Token: SeShutdownPrivilege	3084	svchost.exe
Token: SeCreatePagefilePrivilege	3084	svchost.exe
Token: SeShutdownPrivilege	3084	svchost.exe
Token: SeCreatePagefilePrivilege	3084	svchost.exe
Token: SeShutdownPrivilege	3084	svchost.exe
Token: SeCreatePagefilePrivilege	3084	svchost.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe
Token: SeSecurityPrivilege	1344	TiWorker.exe
Token: SeBackupPrivilege	1344	TiWorker.exe
Token: SeRestorePrivilege	1344	TiWorker.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4820	808	rundll32.exe	81
PID 808 wrote to memory of 4820	808	rundll32.exe	81
PID 808 wrote to memory of 4820	808	rundll32.exe	81
PID 3564 wrote to memory of 4820	3564	WerFault.exe	81
PID 3564 wrote to memory of 4820	3564	WerFault.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\moexx.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\moexx.dll,#1
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 632
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4820 -ip 4820
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3084-133-0x00000240A0960000-0x00000240A0970000-memory.dmp

Filesize
64KB

Download
memory/3084-134-0x00000240A1020000-0x00000240A1030000-memory.dmp

Filesize
64KB

Download
memory/3084-135-0x00000240A36E0000-0x00000240A36E4000-memory.dmp

Filesize
16KB

Download
memory/4820-130-0x0000000002250000-0x0000000002395000-memory.dmp

Filesize
1.3MB

Download
memory/4820-131-0x00000000009C0000-0x00000000009C7000-memory.dmp

Filesize
28KB

Download
memory/4820-132-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download