hancitor | 57b8fd07105b7053c150c5e228607f5eaf896996e0530cf71246ce8cda59f19b

Analysis

max time kernel
44s
max time network
142s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HAV_388323793314316.vbs
Size

823KB
MD5

d1adedc9554d952db4e8277ded9070f1
SHA1

71d96853e7a7ac197cf9930ecae348e91bebcfbf
SHA256

8c077bb379c38ab73289605c3d36a8b23df04fc785754ad03efd1c3cd02c1ed2
SHA512

cfcf1e91357a7e6d73329bc28fb217189b88dde386ee6a1c9d0cf8e9ab79774b4d72b4294b77c430db84d1e6d77126d4823a190b10375a049e834595c4f9c3c3

Score

10^/10

hancitor 0312_7834534 downloader

Malware Config

Extracted

Family

hancitor

Botnet

0312_7834534

http://wintroperly.com/4/forum.php

http://thatimine.ru/4/forum.php

http://lardershe.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1244	regsvr32.exe	27

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
980	regsvr32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 980 set thread context of 2036	980	regsvr32.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid	Process
2036	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid	Process
1672	WScript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 1940 wrote to memory of 980	1940	regsvr32.exe	29
PID 1940 wrote to memory of 980	1940	regsvr32.exe	29
PID 1940 wrote to memory of 980	1940	regsvr32.exe	29
PID 1940 wrote to memory of 980	1940	regsvr32.exe	29
PID 1940 wrote to memory of 980	1940	regsvr32.exe	29
PID 1940 wrote to memory of 980	1940	regsvr32.exe	29
PID 1940 wrote to memory of 980	1940	regsvr32.exe	29
PID 980 wrote to memory of 2036	980	regsvr32.exe	30
PID 980 wrote to memory of 2036	980	regsvr32.exe	30
PID 980 wrote to memory of 2036	980	regsvr32.exe	30
PID 980 wrote to memory of 2036	980	regsvr32.exe	30
PID 980 wrote to memory of 2036	980	regsvr32.exe	30
PID 980 wrote to memory of 2036	980	regsvr32.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HAV_388323793314316.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1672

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt

Filesize
122KB

MD5
c296bbf9e01451686f9aaf2b1570d592

SHA1
dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

SHA256
696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

SHA512
9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

Download Submit
\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt

Filesize
122KB

MD5
c296bbf9e01451686f9aaf2b1570d592

SHA1
dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

SHA256
696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

SHA512
9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

Download Submit
memory/980-65-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/980-57-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/980-56-0x0000000000000000-mapping.dmp

Download
memory/980-64-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/1940-54-0x000007FEFBA31000-0x000007FEFBA33000-memory.dmp

Filesize
8KB

Download
memory/2036-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-62-0x0000000000402960-mapping.dmp

Download
memory/2036-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download