Malware Analysis Report

2024-10-23 17:26

Sample ID 221114-lqlh2abf5x
Target 99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.zip
SHA256 6f200f4221984afde1d4e6d53ed639bdf321624445551fb33a60ee60635f9a76
Tags
hancitor 1907_hjfsd downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f200f4221984afde1d4e6d53ed639bdf321624445551fb33a60ee60635f9a76

Threat Level: Known bad

The file 99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.zip was found to be: Known bad.

Malicious Activity Summary

hancitor 1907_hjfsd downloader

Hancitor

Blocklisted process makes network request

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-11-14 09:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-14 09:44

Reported

2022-11-14 09:56

Platform

win7-20220812-en

Max time kernel

56s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.dll,#1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 52.20.78.240:80 api.ipify.org tcp
N/A 8.8.8.8:53 thervidolown.com udp
N/A 8.8.8.8:53 wiltuslads.ru udp
N/A 8.8.8.8:53 anithedtatione.ru udp

Files

memory/1792-54-0x0000000000000000-mapping.dmp

memory/1792-55-0x0000000076321000-0x0000000076323000-memory.dmp

memory/1792-56-0x0000000000160000-0x0000000000230000-memory.dmp

memory/1792-58-0x0000000000160000-0x000000000016A000-memory.dmp

memory/1792-59-0x0000000000160000-0x0000000000230000-memory.dmp

memory/1792-60-0x0000000000160000-0x0000000000230000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-14 09:44

Reported

2022-11-14 09:57

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 4304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 4304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 4304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6.dll,#1

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 13.69.109.130:443 tcp
N/A 93.184.220.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 52.20.78.240:80 api.ipify.org tcp
N/A 8.8.8.8:53 thervidolown.com udp
N/A 8.8.8.8:53 wiltuslads.ru udp
N/A 8.8.8.8:53 anithedtatione.ru udp

Files

memory/4304-132-0x0000000000000000-mapping.dmp

memory/4304-133-0x0000000000C20000-0x0000000000CF0000-memory.dmp

memory/4304-135-0x0000000000C20000-0x0000000000CF0000-memory.dmp

memory/4304-136-0x0000000000C20000-0x0000000000C2A000-memory.dmp

memory/4304-137-0x0000000000C21000-0x0000000000C42000-memory.dmp

memory/4304-138-0x0000000000C20000-0x0000000000CF0000-memory.dmp