Analysis
-
max time kernel
44s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-06-2022 22:13
Static task
static1
Behavioral task
behavioral1
Sample
ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a.vbs
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a.vbs
Resource
win10v2004-20220414-en
General
-
Target
ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a.vbs
-
Size
545KB
-
MD5
97770c143d6f911ad2fb667089f3254b
-
SHA1
eb2be9136ecad2479b0f8348ce154d48f6c89d25
-
SHA256
ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a
-
SHA512
51962e2f84cb1a753268c4ff79a166d754c7d13caaa41d53e1119999a14774721fab4cd9fb05dbf99913db42c9e0b16061685b6945159892ade604821efb734a
Malware Config
Extracted
hancitor
1912_372823
http://howeelyzuq.com/4/forum.php
http://thriondery.ru/4/forum.php
http://craledlopj.ru/4/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 1088 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1720 regsvr32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1720 set thread context of 1500 1720 regsvr32.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 1500 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 1512 WScript.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1128 wrote to memory of 1720 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1720 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1720 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1720 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1720 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1720 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1720 1128 regsvr32.exe regsvr32.exe PID 1720 wrote to memory of 1500 1720 regsvr32.exe svchost.exe PID 1720 wrote to memory of 1500 1720 regsvr32.exe svchost.exe PID 1720 wrote to memory of 1500 1720 regsvr32.exe svchost.exe PID 1720 wrote to memory of 1500 1720 regsvr32.exe svchost.exe PID 1720 wrote to memory of 1500 1720 regsvr32.exe svchost.exe PID 1720 wrote to memory of 1500 1720 regsvr32.exe svchost.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\BVKQBhyq.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\BVKQBhyq.txt2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BVKQBhyq.txtFilesize
138KB
MD5ea193f350cbcdd48d5bd55e7ea934838
SHA1b22ca46d1da866f4675916580cf2e8cb690f984b
SHA256c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b
SHA512b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65
-
\Users\Admin\AppData\Local\Temp\BVKQBhyq.txtFilesize
138KB
MD5ea193f350cbcdd48d5bd55e7ea934838
SHA1b22ca46d1da866f4675916580cf2e8cb690f984b
SHA256c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b
SHA512b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65
-
memory/1128-54-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmpFilesize
8KB
-
memory/1500-66-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1500-69-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1500-59-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1500-61-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1500-62-0x0000000000402960-mapping.dmp
-
memory/1500-68-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1720-57-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB
-
memory/1720-65-0x00000000001F0000-0x00000000001FC000-memory.dmpFilesize
48KB
-
memory/1720-64-0x0000000000180000-0x0000000000189000-memory.dmpFilesize
36KB
-
memory/1720-56-0x0000000000000000-mapping.dmp