Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10_x64 -
resource
win10-20220331-en -
submitted
05-04-2022 05:36
General
-
Target
V3158D2199.doc
-
Size
943KB
-
MD5
db770ed53fa4d80325dd5da9f9602445
-
SHA1
e883d5e246841e2ca50c9f6b177d276fbdbcf903
-
SHA256
543cdd57d5a93f18c0b357a04c191632aefa9c38e3bd6947ade49745307cf6a3
-
SHA512
760f49ae2c2b3df620ee272ce06974b163ad9701c1810c6489b689a9d166f3699fbdd78a8a5ea14c09e1afe162c4a5c04b8c64e9247b4440b63f05a95b3b70f6
Malware Config
Extracted
hancitor
2103_punosh
http://nanogeelr.com/9/forum.php
http://ockpitehou.ru/9/forum.php
http://lumentsawfu.ru/9/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 45 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\V3158D2199.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SYSTEM32\extrac32.exeextrac32.exe helff.hp_2⤵
- Process spawned unexpected child process
-
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe helf.hpl,YDCFOMQICNKAUXS2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe helf.hpl,YDCFOMQICNKAUXS3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\V3158D2199.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
142KB
MD5473d56807eafdabc7bcb2aac200f6906
SHA1c802635df98b19ed0e798c447017046cf2070b8c
SHA2561e5e85175ee23ea3eebd223f55cf2c59dec07dcef3bfa3c24d2fdf6b9356c666
SHA512e636e0cb6d1db0d75366f3a9fe50aa2066767337f83390924045924b87baa803d0434ead72aa090c7e20615534cafa77ff9fc86f3f13780081881b31a1aafad2
-
Filesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
Filesize
799KB
MD50e71bc3c48b2cb1b5fcd107c2a1eb772
SHA19276387d7ba0f9a92b743c6d7cca30ce92752308
SHA256d71ba9640c1c7bb714cd772a6a8c5f62affa9230e3eb68dcdd89793452178c40
SHA512bfe545e8bedd2e7582811fbb88d6286ed23b985c68fed55340309b3baf6c85f3b8ec2b3cf4b85d65c36ceba5f034c0dc8773fc0c5d0bad7f0c8499d0b5a9fcdf
-
Filesize
3KB
MD5be0ce64e3405d1d2d943cbcb9fd1dd8a
SHA1e350b2b324352946e313ed0c07e028ba6fa83be4
SHA256b17e87624743ccdd75d224355d66a01b223f7229a9f39618d65752a1cc81b778
SHA51210358fdf57090a0122e09c71e449e3c2ebac1cb075020fd25f3df70acd1f99ffca45ad7bdd649be0999c2a98dda5ade1fc5284e96a59948b416d591845406d21
-
Filesize
1.7MB
MD55df3d0f5c72cf5e5f5558d0427fbe188
SHA17f3d18d51f70b226fd93cdcc50b30f24584e54a9
SHA256446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f
SHA51285b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757
-
Filesize
1.7MB
MD55df3d0f5c72cf5e5f5558d0427fbe188
SHA17f3d18d51f70b226fd93cdcc50b30f24584e54a9
SHA256446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f
SHA51285b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757
-
Filesize
1.7MB
MD55df3d0f5c72cf5e5f5558d0427fbe188
SHA17f3d18d51f70b226fd93cdcc50b30f24584e54a9
SHA256446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f
SHA51285b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
28KB
-
Filesize
1.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB