Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
01-08-2022 15:24
Static task
static1
Behavioral task
behavioral1
Sample
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll
Resource
win10v2004-20220721-en
General
-
Target
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll
-
Size
146KB
-
MD5
2789d8ecc091ca006e426a9db9361d7d
-
SHA1
9c33b1d66a6000119348cf61fa774d7769449456
-
SHA256
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df
-
SHA512
a782b451ff592be6cb78af5dafbdb41d172e5f1422a5b63943dd03782d8c31c746429ddfaa61b54460effc0a14d544fae72ebb35734afa69c71634310046ff4b
Malware Config
Extracted
hancitor
1012_3278324
http://lappoing.com/4/forum.php
http://theirchus.ru/4/forum.php
http://andalicur.ru/4/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2044 set thread context of 1380 2044 rundll32.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 1380 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 820 wrote to memory of 2044 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 2044 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 2044 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 2044 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 2044 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 2044 820 rundll32.exe rundll32.exe PID 820 wrote to memory of 2044 820 rundll32.exe rundll32.exe PID 2044 wrote to memory of 1380 2044 rundll32.exe svchost.exe PID 2044 wrote to memory of 1380 2044 rundll32.exe svchost.exe PID 2044 wrote to memory of 1380 2044 rundll32.exe svchost.exe PID 2044 wrote to memory of 1380 2044 rundll32.exe svchost.exe PID 2044 wrote to memory of 1380 2044 rundll32.exe svchost.exe PID 2044 wrote to memory of 1380 2044 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-