Analysis
-
max time kernel
50s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 00:38
General
-
Target
WIS_868087283709651.vbs
-
Size
726KB
-
MD5
a21cda7e8d89d17b1bbc3c27035b132c
-
SHA1
357ab07a728aa6e1cadae86f47ac0ebefda296bf
-
SHA256
ec12eb1046c20c246ac6add559a64b52485d251e300c1d2dd4503de8a08c73d5
-
SHA512
bf02164fc72977f509771b92c41706e3fb1c357c3245b7cc2aeb15ad2492320a5f834f8fc1bb8531e799fa078c8cf973373916d89478a8c8d0ba4af8abce5d72
Malware Config
Extracted
hancitor
0212_4377843
http://laticivue.com/4/forum.php
http://isintilexts.ru/4/forum.php
http://sailitisk.ru/4/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WIS_868087283709651.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\RodQw.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\RodQw.txt2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 6724⤵
- Program crash
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5daa9b06974fa5963b39e0120babe138c
SHA14cc4588d284bead0d6dae54761de42cd048f77a1
SHA256f01881dbff4546bd2d66a49cc01ee09e306c025aaa4df16022eb826426f2e004
SHA512fad62deded0a108914759bca2f5aa43948024b7032ed4f904ad3fa1e5079c4bc81a7badb31fd975c97b4bd57830f56910b3eeca3ae9fc4a3fd08722e5e0273f2
-
Filesize
137KB
MD5daa9b06974fa5963b39e0120babe138c
SHA14cc4588d284bead0d6dae54761de42cd048f77a1
SHA256f01881dbff4546bd2d66a49cc01ee09e306c025aaa4df16022eb826426f2e004
SHA512fad62deded0a108914759bca2f5aa43948024b7032ed4f904ad3fa1e5079c4bc81a7badb31fd975c97b4bd57830f56910b3eeca3ae9fc4a3fd08722e5e0273f2
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB