hancitor | 0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec

General

Target

0524_4109399728218 (1).doc
Size

1.3MB
MD5

14f4c470c207e22c3b0a4efa7b4200e8
SHA1

21180195396580a9ade32b589490cf3bc94d3b5b
SHA256

0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec
SHA512

4adc4275a9105bf94bdce4b9d5821026d99a4adf16579b1b2b23495efbd55cc7bc90a129248a9902c7c75828eac9ac665c8a34c203b428748d9f7b8a80b76823
SSDEEP

24576:nEIjrPUaphvGvGUZ93/semhXp7AsWIKHaY8k5faaboEy6r8zz1:n/jhvGvGU93097AFIKbv0WY/1

Score

10^/10

hancitor 2405_pin43 downloader

Malware Config

Extracted

Family

hancitor

Botnet

2405_pin43

C2

http://thowerteigime.com/8/forum.php

http://euvereginumet.ru/8/forum.php

http://rhopulforopme.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2808	2336	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

48 752 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

752 rundll32.exe
752 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 api.ipify.org

flow	pid	process
48	752	rundll32.exe

pid	process
752	rundll32.exe
752	rundll32.exe

flow	ioc
47	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{1159AA7B-44BA-41C2-96FB-0E2F3B99A69B}\jax.k:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2336 WINWORD.EXE
2336 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

752 rundll32.exe
752 rundll32.exe

pid	process
752	rundll32.exe
752	rundll32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 2336 wrote to memory of 1404	2336	WINWORD.EXE	splwow64.exe
PID 2336 wrote to memory of 1404	2336	WINWORD.EXE	splwow64.exe
PID 2336 wrote to memory of 2808	2336	WINWORD.EXE	rundll32.exe
PID 2336 wrote to memory of 2808	2336	WINWORD.EXE	rundll32.exe
PID 2808 wrote to memory of 752	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 752	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 752	2808	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0524_4109399728218 (1).doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1404
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32.exe c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ket.t

Filesize
704KB

MD5
9dc6f214fc82d637de2f68f3c519d339

SHA1
aaa425f7377d405bea59b8adfb65afc0c8869886

SHA256
2a8b737a4752060a308c4312b7c0cf6c05cde5b370906286dea9cdd36f5aa613

SHA512
5cb0a6f3ab48e5127d5c9f638c035dd4b3a97f3eb31334d5bc3eeafc164b31540fea65d6e40abfac8566676c43e954f567dbc2af81a629b4059af7e466d75bef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ket.t

Filesize
704KB

MD5
9dc6f214fc82d637de2f68f3c519d339

SHA1
aaa425f7377d405bea59b8adfb65afc0c8869886

SHA256
2a8b737a4752060a308c4312b7c0cf6c05cde5b370906286dea9cdd36f5aa613

SHA512
5cb0a6f3ab48e5127d5c9f638c035dd4b3a97f3eb31334d5bc3eeafc164b31540fea65d6e40abfac8566676c43e954f567dbc2af81a629b4059af7e466d75bef

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t

Filesize
704KB

MD5
9dc6f214fc82d637de2f68f3c519d339

SHA1
aaa425f7377d405bea59b8adfb65afc0c8869886

SHA256
2a8b737a4752060a308c4312b7c0cf6c05cde5b370906286dea9cdd36f5aa613

SHA512
5cb0a6f3ab48e5127d5c9f638c035dd4b3a97f3eb31334d5bc3eeafc164b31540fea65d6e40abfac8566676c43e954f567dbc2af81a629b4059af7e466d75bef

Download Submit
memory/752-153-0x0000000002440000-0x000000000244A000-memory.dmp

Filesize
40KB

Download
memory/752-152-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/752-151-0x0000000002440000-0x000000000244A000-memory.dmp

Filesize
40KB

Download
memory/752-150-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/752-149-0x00000000022F0000-0x00000000023A4000-memory.dmp

Filesize
720KB

Download
memory/752-146-0x0000000000000000-mapping.dmp

Download
memory/1404-139-0x0000000000000000-mapping.dmp

Download
memory/2336-138-0x00007FF8D50A0000-0x00007FF8D50B0000-memory.dmp

Filesize
64KB

Download
memory/2336-137-0x00007FF8D50A0000-0x00007FF8D50B0000-memory.dmp

Filesize
64KB

Download
memory/2336-158-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-142-0x000001E93B881000-0x000001E93B8D9000-memory.dmp

Filesize
352KB

Download
memory/2336-141-0x000001E93B881000-0x000001E93B8D9000-memory.dmp

Filesize
352KB

Download
memory/2336-140-0x000001E93B881000-0x000001E93B8D9000-memory.dmp

Filesize
352KB

Download
memory/2336-132-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-143-0x000001E93B881000-0x000001E93B8D9000-memory.dmp

Filesize
352KB

Download
memory/2336-136-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-135-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-134-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-133-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-155-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-156-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2336-157-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/2808-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads