hancitor | aee66bf0b352470d89afce682aa0af5bef651c97981fe20507d36127f2fa5f90

Analysis

max time kernel
43s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WHO_4776889046841393.vbs
Size

909KB
MD5

67d3819f1f32d9a140b3201ae5d310d8
SHA1

545ddac4103a70825c6fef264c08bd34787809bb
SHA256

c03838ce46b55ee5253eb78a82c4f91f9273c833387bc430309bb84cd3a0bc33
SHA512

85d1f5d646c05b47a5425520a9e6628744d8ec17bec6aa8b051449f9f304b07fefe2f4fe9d14bd00aeb04cc6141ea1452c888f9cb94e4ab7b1152c46da64bf8b
SSDEEP

3072:DLG8LSTq0uHLlixTm/p9SKN0YpHp6R+UEpIDr5NAuCLC9kz3xHyLS8Kl0sGfjhgH:jRo5Qc970K/Dqld/2libfKTnYrKJmvJ

Score

10^/10

hancitor 2111_7654345 downloader

Malware Config

Extracted

Family

hancitor

Botnet

2111_7654345

http://hismosedkaj.com/4/forum.php

http://consenhary.ru/4/forum.php

http://prolighmev.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2012	regsvr32.exe	27

Loads dropped DLL 1 IoCs

pid	Process
1448	regsvr32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 1020	1448	regsvr32.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1020	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1620	WScript.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1448	2008	regsvr32.exe	29
PID 2008 wrote to memory of 1448	2008	regsvr32.exe	29
PID 2008 wrote to memory of 1448	2008	regsvr32.exe	29
PID 2008 wrote to memory of 1448	2008	regsvr32.exe	29
PID 2008 wrote to memory of 1448	2008	regsvr32.exe	29
PID 2008 wrote to memory of 1448	2008	regsvr32.exe	29
PID 2008 wrote to memory of 1448	2008	regsvr32.exe	29
PID 1448 wrote to memory of 1020	1448	regsvr32.exe	30
PID 1448 wrote to memory of 1020	1448	regsvr32.exe	30
PID 1448 wrote to memory of 1020	1448	regsvr32.exe	30
PID 1448 wrote to memory of 1020	1448	regsvr32.exe	30
PID 1448 wrote to memory of 1020	1448	regsvr32.exe	30
PID 1448 wrote to memory of 1020	1448	regsvr32.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WHO_4776889046841393.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1620

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\suHlT.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\suHlT.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suHlT.txt

Filesize
174KB

MD5
227ddb5f8b75f0c253e466e0752f1d97

SHA1
e5361dbf2218d41e577bfff6355125bdda0c08db

SHA256
f71d14084f5b22dc41223db248a96c27ca54f9ae0582ac9d6dc0a7d2b13728ac

SHA512
108a06fcc33ae5b2a024a84f861f873efbd0cadffa8eddd575e1f3392f2ae2914aef253d3a7b2bfa445c61b83f9ceaf6224880d39c43d3bdfd0b3c5fa9b01d02

Download Submit
\Users\Admin\AppData\Local\Temp\suHlT.txt

Filesize
174KB

MD5
227ddb5f8b75f0c253e466e0752f1d97

SHA1
e5361dbf2218d41e577bfff6355125bdda0c08db

SHA256
f71d14084f5b22dc41223db248a96c27ca54f9ae0582ac9d6dc0a7d2b13728ac

SHA512
108a06fcc33ae5b2a024a84f861f873efbd0cadffa8eddd575e1f3392f2ae2914aef253d3a7b2bfa445c61b83f9ceaf6224880d39c43d3bdfd0b3c5fa9b01d02

Download Submit
memory/1020-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1020-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1020-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1020-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1020-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1448-57-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1448-66-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download
memory/1448-65-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/1448-59-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2008-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download