Overview

overview

10

Static

static

18ee8e11fe...94.dll

windows7_x64

10

18ee8e11fe...94.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    15-03-2022 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18ee8e11fed332e1d38eaa8d6eb6549798681cc5ddc8d0709c3efcb80dc34994.dll

  • Size

    1.7MB

  • MD5

    cc4c4ed0880dc4c949d2c5b82215c1f5

  • SHA1

    8bac526732429816b185a27f276291fcacc864f4

  • SHA256

    18ee8e11fed332e1d38eaa8d6eb6549798681cc5ddc8d0709c3efcb80dc34994

  • SHA512

    662aa21aa4d046166ae747b7cbdd51b23c7ad629efa92271083ffad20e39027f48428b3095471950718cf6a14bd3b9caa6042525c74dc62a7b063c0549bd5919

Score
10/10
hancitor1403_nerfdownloader

Malware Config

Extracted

Family

hancitor

Botnet

1403_nerf

C2

http://ordernema.com/9/forum.php

http://roobberle.ru/9/forum.php

http://sardogradu.ru/9/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\18ee8e11fed332e1d38eaa8d6eb6549798681cc5ddc8d0709c3efcb80dc34994.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\18ee8e11fed332e1d38eaa8d6eb6549798681cc5ddc8d0709c3efcb80dc34994.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 640
        3⤵
        • Program crash
        PID:1480
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 640
        3⤵
        • Program crash
        PID:212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1720 -ip 1720
    1⤵
      PID:3020

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1720-134-0x0000000001540000-0x0000000001547000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1720-135-0x0000000001560000-0x0000000001568000-memory.dmp

      Filesize

      32KB

      Download