Analysis Overview
SHA256
790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59
Threat Level: Known bad
The file 790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59 was found to be: Known bad.
Malicious Activity Summary
Hancitor
Blocklisted process makes network request
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-11-30 17:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-30 17:55
Reported
2022-12-02 17:41
Platform
win7-20221111-en
Max time kernel
79s
Max time network
162s
Command Line
Signatures
Hancitor
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1236 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1236 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1236 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1236 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1236 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1236 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1236 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 52.20.78.240:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | sibetaver.com | udp |
| N/A | 8.8.8.8:53 | ceirsitsin.ru | udp |
| N/A | 8.8.8.8:53 | formawas.ru | udp |
Files
memory/1332-54-0x0000000000000000-mapping.dmp
memory/1332-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp
memory/1332-56-0x00000000749A0000-0x00000000749DB000-memory.dmp
memory/1332-57-0x00000000749A0000-0x00000000749AA000-memory.dmp
memory/1332-58-0x00000000749A0000-0x00000000749DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-30 17:55
Reported
2022-12-02 17:40
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
Hancitor
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 2728 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2728 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2728 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\790143973633f4d4495230b2d855f5a146123a690e65efc7f3a791295346bc59.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 67.24.171.254:80 | tcp | |
| N/A | 52.182.143.210:443 | tcp | |
| N/A | 67.24.171.254:80 | tcp | |
| N/A | 67.24.171.254:80 | tcp | |
| N/A | 67.24.171.254:80 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 3.232.242.170:80 | api.ipify.org | tcp |
| N/A | 52.20.78.240:80 | api.ipify.org | tcp |
| N/A | 40.125.122.151:443 | tcp | |
| N/A | 3.220.57.224:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | sibetaver.com | udp |
| N/A | 8.8.8.8:53 | ceirsitsin.ru | udp |
| N/A | 8.8.8.8:53 | formawas.ru | udp |
| N/A | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.73.194.208:443 | tcp | |
| N/A | 20.73.194.208:443 | tcp |
Files
memory/2728-132-0x0000000000000000-mapping.dmp
memory/2728-133-0x0000000075360000-0x000000007536A000-memory.dmp
memory/2728-134-0x0000000075360000-0x000000007539B000-memory.dmp