Malware Analysis Report

2024-10-23 17:26

Sample ID 221130-whnzasfa4w
Target 790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59
SHA256 790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59
Tags
hancitor 0902_ntcwe4 downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59

Threat Level: Known bad

The file 790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59 was found to be: Known bad.

Malicious Activity Summary

hancitor 0902_ntcwe4 downloader

Hancitor

Blocklisted process makes network request

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-11-30 17:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 17:55

Reported

2022-12-02 17:41

Platform

win7-20221111-en

Max time kernel

79s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 52.20.78.240:80 api.ipify.org tcp
N/A 8.8.8.8:53 sibetaver.com udp
N/A 8.8.8.8:53 ceirsitsin.ru udp
N/A 8.8.8.8:53 formawas.ru udp

Files

memory/1332-54-0x0000000000000000-mapping.dmp

memory/1332-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

memory/1332-56-0x00000000749A0000-0x00000000749DB000-memory.dmp

memory/1332-57-0x00000000749A0000-0x00000000749AA000-memory.dmp

memory/1332-58-0x00000000749A0000-0x00000000749DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 17:55

Reported

2022-12-02 17:40

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 67.24.171.254:80 tcp
N/A 52.182.143.210:443 tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 3.232.242.170:80 api.ipify.org tcp
N/A 52.20.78.240:80 api.ipify.org tcp
N/A 40.125.122.151:443 tcp
N/A 3.220.57.224:80 api.ipify.org tcp
N/A 8.8.8.8:53 sibetaver.com udp
N/A 8.8.8.8:53 ceirsitsin.ru udp
N/A 8.8.8.8:53 formawas.ru udp
N/A 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
N/A 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 8.8.8.8:53 udp
N/A 20.73.194.208:443 tcp
N/A 20.73.194.208:443 tcp

Files

memory/2728-132-0x0000000000000000-mapping.dmp

memory/2728-133-0x0000000075360000-0x000000007536A000-memory.dmp

memory/2728-134-0x0000000075360000-0x000000007539B000-memory.dmp