hancitor | ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a

General

Target

ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a.vbs
Size

545KB
MD5

97770c143d6f911ad2fb667089f3254b
SHA1

eb2be9136ecad2479b0f8348ce154d48f6c89d25
SHA256

ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a
SHA512

51962e2f84cb1a753268c4ff79a166d754c7d13caaa41d53e1119999a14774721fab4cd9fb05dbf99913db42c9e0b16061685b6945159892ade604821efb734a

Score

10^/10

hancitor 1912_372823 downloader

Malware Config

Extracted

Family

hancitor

Botnet

1912_372823

C2

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 1088 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1720 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1720 set thread context of 1500 1720 regsvr32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

1500 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

1512 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1088	regsvr32.exe

pid	process
1720	regsvr32.exe

flow	ioc
3	api.ipify.org

description	pid	process	target process
PID 1720 set thread context of 1500	1720	regsvr32.exe	svchost.exe

pid	process
1500	svchost.exe

pid	process
1512	WScript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1128 wrote to memory of 1720	1128	regsvr32.exe	regsvr32.exe
PID 1128 wrote to memory of 1720	1128	regsvr32.exe	regsvr32.exe
PID 1128 wrote to memory of 1720	1128	regsvr32.exe	regsvr32.exe
PID 1128 wrote to memory of 1720	1128	regsvr32.exe	regsvr32.exe
PID 1128 wrote to memory of 1720	1128	regsvr32.exe	regsvr32.exe
PID 1128 wrote to memory of 1720	1128	regsvr32.exe	regsvr32.exe
PID 1128 wrote to memory of 1720	1128	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1500	1720	regsvr32.exe	svchost.exe
PID 1720 wrote to memory of 1500	1720	regsvr32.exe	svchost.exe
PID 1720 wrote to memory of 1500	1720	regsvr32.exe	svchost.exe
PID 1720 wrote to memory of 1500	1720	regsvr32.exe	svchost.exe
PID 1720 wrote to memory of 1500	1720	regsvr32.exe	svchost.exe
PID 1720 wrote to memory of 1500	1720	regsvr32.exe	svchost.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1512

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\BVKQBhyq.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\BVKQBhyq.txt
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BVKQBhyq.txt
Filesize
138KB

MD5
ea193f350cbcdd48d5bd55e7ea934838

SHA1
b22ca46d1da866f4675916580cf2e8cb690f984b

SHA256
c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

SHA512
b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Download Submit
\Users\Admin\AppData\Local\Temp\BVKQBhyq.txt
Filesize
138KB

MD5
ea193f350cbcdd48d5bd55e7ea934838

SHA1
b22ca46d1da866f4675916580cf2e8cb690f984b

SHA256
c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

SHA512
b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Download Submit
memory/1128-54-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1500-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1500-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1500-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1500-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1500-62-0x0000000000402960-mapping.dmp

Download
memory/1500-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1720-57-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1720-65-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/1720-64-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/1720-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing