Analysis
-
max time kernel
75s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
49cb613e0241e2a1e3ac064f3465f887403f69d438775c15211a213d208a0f6c.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
49cb613e0241e2a1e3ac064f3465f887403f69d438775c15211a213d208a0f6c.dll
Resource
win10v2004-20220414-en
General
-
Target
49cb613e0241e2a1e3ac064f3465f887403f69d438775c15211a213d208a0f6c.dll
-
Size
163KB
-
MD5
0470a08d9e4c7dd14a95adc5753f0eb4
-
SHA1
e20ad5368273f15e2d5a34e80ffc1c72b9e43ee8
-
SHA256
49cb613e0241e2a1e3ac064f3465f887403f69d438775c15211a213d208a0f6c
-
SHA512
e64ce93037a872666d8f849377c6f831ee74ae2d1f9b03b04b0bd4cf4f51b587304d83a0f478bf9bc3f9ef50c07327c338aea913f0df6b517840e4d3b027ed12
Malware Config
Extracted
hancitor
2701_236743
http://diermedir.com/4/forum.php
http://ussismates.ru/4/forum.php
http://wernmicaz.ru/4/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 112 set thread context of 1436 112 rundll32.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 1436 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2040 wrote to memory of 112 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 112 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 112 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 112 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 112 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 112 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 112 2040 rundll32.exe rundll32.exe PID 112 wrote to memory of 1436 112 rundll32.exe svchost.exe PID 112 wrote to memory of 1436 112 rundll32.exe svchost.exe PID 112 wrote to memory of 1436 112 rundll32.exe svchost.exe PID 112 wrote to memory of 1436 112 rundll32.exe svchost.exe PID 112 wrote to memory of 1436 112 rundll32.exe svchost.exe PID 112 wrote to memory of 1436 112 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49cb613e0241e2a1e3ac064f3465f887403f69d438775c15211a213d208a0f6c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49cb613e0241e2a1e3ac064f3465f887403f69d438775c15211a213d208a0f6c.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-65-0x0000000000160000-0x0000000000169000-memory.dmpFilesize
36KB
-
memory/112-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/112-56-0x0000000000160000-0x0000000000169000-memory.dmpFilesize
36KB
-
memory/112-57-0x0000000000210000-0x000000000021C000-memory.dmpFilesize
48KB
-
memory/112-64-0x0000000000210000-0x000000000021C000-memory.dmpFilesize
48KB
-
memory/112-62-0x0000000000210000-0x000000000021C000-memory.dmpFilesize
48KB
-
memory/112-54-0x0000000000000000-mapping.dmp
-
memory/1436-58-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1436-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1436-61-0x0000000000402960-mapping.dmp
-
memory/1436-66-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1436-67-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1436-69-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB