hancitor | 81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218

General

Target

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
Size

521KB
MD5

6daad96aa8bb3a1dd6de3e17e37e4d04
SHA1

5974bbf965584a1a36c346710210bc4340f2e914
SHA256

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218
SHA512

5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Score

10^/10

hancitor 1410_7_qw downloader persistence

Malware Config

Extracted

Family

hancitor

Botnet

1410_7_qw

C2

http://iverspriturs.com/7/forum.php

http://chormetdendu.ru/7/forum.php

http://appinrelifle.ru/7/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Executes dropped EXE 1 IoCs

Processes:

WinHost32.exe

pid	Process
2164	WinHost32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinHost32 = "C:\\Windows\\System32\\WinHost32.exe"	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
19	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHost32.exe	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exeWinHost32.exe

pid	Process
2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
2164	WinHost32.exe
2164	WinHost32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

description	pid	Process	procid_target
PID 2420 wrote to memory of 2164	2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	82
PID 2420 wrote to memory of 2164	2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	82
PID 2420 wrote to memory of 2164	2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	82
PID 2420 wrote to memory of 4944	2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	83
PID 2420 wrote to memory of 4944	2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	83
PID 2420 wrote to memory of 4944	2420	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	83

C:\Users\Admin\AppData\Local\Temp\81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
"C:\Users\Admin\AppData\Local\Temp\81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WinHost32.exe
  C:\Windows\System32\WinHost32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe >> NUL
  2⤵
  PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinHost32.exe

Filesize
521KB

MD5
6daad96aa8bb3a1dd6de3e17e37e4d04

SHA1
5974bbf965584a1a36c346710210bc4340f2e914

SHA256
81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218

SHA512
5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Download Submit
C:\Windows\SysWOW64\WinHost32.exe

Filesize
521KB

MD5
6daad96aa8bb3a1dd6de3e17e37e4d04

SHA1
5974bbf965584a1a36c346710210bc4340f2e914

SHA256
81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218

SHA512
5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Download Submit
memory/2164-131-0x0000000000000000-mapping.dmp

Download
memory/2164-136-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2420-130-0x00000000021F0000-0x0000000002215000-memory.dmp

Filesize
148KB

Download
memory/2420-135-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4944-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads