Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 15:24
Static task
static1
Behavioral task
behavioral1
Sample
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll
Resource
win10v2004-20220721-en
General
-
Target
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll
-
Size
146KB
-
MD5
2789d8ecc091ca006e426a9db9361d7d
-
SHA1
9c33b1d66a6000119348cf61fa774d7769449456
-
SHA256
5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df
-
SHA512
a782b451ff592be6cb78af5dafbdb41d172e5f1422a5b63943dd03782d8c31c746429ddfaa61b54460effc0a14d544fae72ebb35734afa69c71634310046ff4b
Malware Config
Extracted
hancitor
1012_3278324
http://lappoing.com/4/forum.php
http://theirchus.ru/4/forum.php
http://andalicur.ru/4/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 632 set thread context of 2264 632 rundll32.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 2264 svchost.exe 2264 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4292 wrote to memory of 632 4292 rundll32.exe rundll32.exe PID 4292 wrote to memory of 632 4292 rundll32.exe rundll32.exe PID 4292 wrote to memory of 632 4292 rundll32.exe rundll32.exe PID 632 wrote to memory of 2264 632 rundll32.exe svchost.exe PID 632 wrote to memory of 2264 632 rundll32.exe svchost.exe PID 632 wrote to memory of 2264 632 rundll32.exe svchost.exe PID 632 wrote to memory of 2264 632 rundll32.exe svchost.exe PID 632 wrote to memory of 2264 632 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
-