hancitor | 57b8fd07105b7053c150c5e228607f5eaf896996e0530cf71246ce8cda59f19b

General

Target

HAV_388323793314316.vbs
Size

823KB
MD5

d1adedc9554d952db4e8277ded9070f1
SHA1

71d96853e7a7ac197cf9930ecae348e91bebcfbf
SHA256

8c077bb379c38ab73289605c3d36a8b23df04fc785754ad03efd1c3cd02c1ed2
SHA512

cfcf1e91357a7e6d73329bc28fb217189b88dde386ee6a1c9d0cf8e9ab79774b4d72b4294b77c430db84d1e6d77126d4823a190b10375a049e834595c4f9c3c3

Score

10^/10

hancitor 0312_7834534 downloader

Malware Config

Extracted

Family

hancitor

Botnet

0312_7834534

C2

http://wintroperly.com/4/forum.php

http://thatimine.ru/4/forum.php

http://lardershe.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 1244 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

980 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 980 set thread context of 2036 980 regsvr32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

2036 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

1672 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1244	regsvr32.exe

pid	process
980	regsvr32.exe

flow	ioc
3	api.ipify.org

description	pid	process	target process
PID 980 set thread context of 2036	980	regsvr32.exe	svchost.exe

pid	process
2036	svchost.exe

pid	process
1672	WScript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1940 wrote to memory of 980	1940	regsvr32.exe	regsvr32.exe
PID 1940 wrote to memory of 980	1940	regsvr32.exe	regsvr32.exe
PID 1940 wrote to memory of 980	1940	regsvr32.exe	regsvr32.exe
PID 1940 wrote to memory of 980	1940	regsvr32.exe	regsvr32.exe
PID 1940 wrote to memory of 980	1940	regsvr32.exe	regsvr32.exe
PID 1940 wrote to memory of 980	1940	regsvr32.exe	regsvr32.exe
PID 1940 wrote to memory of 980	1940	regsvr32.exe	regsvr32.exe
PID 980 wrote to memory of 2036	980	regsvr32.exe	svchost.exe
PID 980 wrote to memory of 2036	980	regsvr32.exe	svchost.exe
PID 980 wrote to memory of 2036	980	regsvr32.exe	svchost.exe
PID 980 wrote to memory of 2036	980	regsvr32.exe	svchost.exe
PID 980 wrote to memory of 2036	980	regsvr32.exe	svchost.exe
PID 980 wrote to memory of 2036	980	regsvr32.exe	svchost.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HAV_388323793314316.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1672

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
Filesize
122KB

MD5
c296bbf9e01451686f9aaf2b1570d592

SHA1
dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

SHA256
696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

SHA512
9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

Download Submit
\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
Filesize
122KB

MD5
c296bbf9e01451686f9aaf2b1570d592

SHA1
dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

SHA256
696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

SHA512
9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

Download Submit
memory/980-65-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/980-57-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/980-56-0x0000000000000000-mapping.dmp

Download
memory/980-64-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/1940-54-0x000007FEFBA31000-0x000007FEFBA33000-memory.dmp

Filesize
8KB

Download
memory/2036-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-62-0x0000000000402960-mapping.dmp

Download
memory/2036-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing