Malware Analysis Report

2024-10-23 17:28

Sample ID 221108-mmqh9acba6
Target a997a35a48fc1995021575fbacc996fa6e5d04dab8dc947b9c97199e3f6b84d7
SHA256 a997a35a48fc1995021575fbacc996fa6e5d04dab8dc947b9c97199e3f6b84d7
Tags
hancitor 0512_54355435 downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a997a35a48fc1995021575fbacc996fa6e5d04dab8dc947b9c97199e3f6b84d7

Threat Level: Known bad

The file a997a35a48fc1995021575fbacc996fa6e5d04dab8dc947b9c97199e3f6b84d7 was found to be: Known bad.

Malicious Activity Summary

hancitor 0512_54355435 downloader

Process spawned unexpected child process

Hancitor

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-08 10:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-08 10:35

Reported

2022-11-09 12:48

Platform

win7-20220812-en

Max time kernel

71s

Max time network

229s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4696233109873277.vbs"

Signatures

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 2016 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4696233109873277.vbs"

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

C:\Windows\SysWOW64\regsvr32.exe

-s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 furnandol.com udp
US 8.8.8.8:53 rashomedz.ru udp
US 8.8.8.8:53 blyineveng.ru udp

Files

memory/584-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

MD5 61fa5854baab95fc806ae0624ae959af
SHA1 439e45aaccd519fba7f678d3122521bc0f63b770
SHA256 0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b
SHA512 6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4

memory/1756-56-0x0000000000000000-mapping.dmp

memory/1756-57-0x0000000076121000-0x0000000076123000-memory.dmp

\Users\Admin\AppData\Local\Temp\xgbgSR.txt

MD5 61fa5854baab95fc806ae0624ae959af
SHA1 439e45aaccd519fba7f678d3122521bc0f63b770
SHA256 0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b
SHA512 6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4

memory/1756-59-0x0000000000170000-0x00000000001F0000-memory.dmp

memory/2016-60-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2016-62-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2016-63-0x0000000000402960-mapping.dmp

memory/2016-65-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2016-67-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2016-68-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-08 10:35

Reported

2022-11-09 12:46

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

127s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4696233109873277.vbs"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 3724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2108 wrote to memory of 3724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2108 wrote to memory of 3724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4696233109873277.vbs"

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

C:\Windows\SysWOW64\regsvr32.exe

-s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.189.173.1:443 tcp
NL 87.248.202.1:80 tcp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

MD5 61fa5854baab95fc806ae0624ae959af
SHA1 439e45aaccd519fba7f678d3122521bc0f63b770
SHA256 0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b
SHA512 6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4

memory/3724-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

MD5 61fa5854baab95fc806ae0624ae959af
SHA1 439e45aaccd519fba7f678d3122521bc0f63b770
SHA256 0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b
SHA512 6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4