hancitor | 8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51

General

Target

8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51.vbs
Size

592KB
MD5

393258a792991fdab17305e275e5fd31
SHA1

231f60bdb55fc4597a2e4d53d4a43d66429207d2
SHA256

8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51
SHA512

5d67586c90180f0637379bc7537b180a9083e5a125a9927a7320151a6a8e23a0dffefddccc5712679d1c25c3baddf6e5ac34fa41ff1230484d51c9a7424ae644

Score

10^/10

hancitor 1912_372823 downloader

Malware Config

Extracted

Family

hancitor

Botnet

1912_372823

C2

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	740	regsvr32.exe	28

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
1656	regsvr32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 1656 set thread context of 1144	1656	regsvr32.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid	Process
1144	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid	Process
1668	WScript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 1708 wrote to memory of 1656	1708	regsvr32.exe	30
PID 1708 wrote to memory of 1656	1708	regsvr32.exe	30
PID 1708 wrote to memory of 1656	1708	regsvr32.exe	30
PID 1708 wrote to memory of 1656	1708	regsvr32.exe	30
PID 1708 wrote to memory of 1656	1708	regsvr32.exe	30
PID 1708 wrote to memory of 1656	1708	regsvr32.exe	30
PID 1708 wrote to memory of 1656	1708	regsvr32.exe	30
PID 1656 wrote to memory of 1144	1656	regsvr32.exe	31
PID 1656 wrote to memory of 1144	1656	regsvr32.exe	31
PID 1656 wrote to memory of 1144	1656	regsvr32.exe	31
PID 1656 wrote to memory of 1144	1656	regsvr32.exe	31
PID 1656 wrote to memory of 1144	1656	regsvr32.exe	31
PID 1656 wrote to memory of 1144	1656	regsvr32.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\rNjdHLz.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\rNjdHLz.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rNjdHLz.txt

Filesize
138KB

MD5
ea193f350cbcdd48d5bd55e7ea934838

SHA1
b22ca46d1da866f4675916580cf2e8cb690f984b

SHA256
c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

SHA512
b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Download Submit
\Users\Admin\AppData\Local\Temp\rNjdHLz.txt

Filesize
138KB

MD5
ea193f350cbcdd48d5bd55e7ea934838

SHA1
b22ca46d1da866f4675916580cf2e8cb690f984b

SHA256
c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

SHA512
b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Download Submit
memory/1144-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1144-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1144-63-0x0000000000402960-mapping.dmp

Download
memory/1144-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1144-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1144-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1656-56-0x0000000000000000-mapping.dmp

Download
memory/1656-57-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1656-59-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/1708-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads