hancitor | a997a35a48fc1995021575fbacc996fa6e5d04dab8dc947b9c97199e3f6b84d7

General

Target

4696233109873277.vbs
Size

870KB
MD5

8e73555843a4d416c21103d61f550dd0
SHA1

3562e225fdd65276810cfcf9d168c616179af7c7
SHA256

8b9ca248a7c278592ff4096afb155b605cfb60d5559173bea494961b7ff7056e
SHA512

d898bdd95d591efbfe965fadbb2117b7d38ab9a241ea3b91dc4da3049b55d56c741aeb1f8814efbe589ebe2db0525ce8c6aef658ea31b0530d1b73adc59b832b
SSDEEP

24576:96lLg+R5WZdswPhE31UTfnPItO9wBRPnkDsWhwDRVV2Omn:x

Score

10^/10

hancitor 0512_54355435 downloader

Malware Config

Extracted

Family

hancitor

Botnet

0512_54355435

C2

http://furnandol.com/4/forum.php

http://rashomedz.ru/4/forum.php

http://blyineveng.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 1936 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1756 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1756 set thread context of 2016 1756 regsvr32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

2016 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

316 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1936	regsvr32.exe

pid	process
1756	regsvr32.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1756 set thread context of 2016	1756	regsvr32.exe	svchost.exe

pid	process
2016	svchost.exe

pid	process
316	WScript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 584 wrote to memory of 1756	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1756	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1756	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1756	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1756	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1756	584	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 1756	584	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 2016	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 2016	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 2016	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 2016	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 2016	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 2016	1756	regsvr32.exe	svchost.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4696233109873277.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:316

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

Filesize
123KB

MD5
61fa5854baab95fc806ae0624ae959af

SHA1
439e45aaccd519fba7f678d3122521bc0f63b770

SHA256
0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b

SHA512
6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4

Download Submit
\Users\Admin\AppData\Local\Temp\xgbgSR.txt

Filesize
123KB

MD5
61fa5854baab95fc806ae0624ae959af

SHA1
439e45aaccd519fba7f678d3122521bc0f63b770

SHA256
0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b

SHA512
6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4

Download Submit
memory/584-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1756-56-0x0000000000000000-mapping.dmp

Download
memory/1756-57-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1756-59-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2016-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2016-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2016-63-0x0000000000402960-mapping.dmp

Download
memory/2016-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2016-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2016-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing