Malware Analysis Report

2024-10-23 17:29

Sample ID 221204-smaqpaag98
Target aee66bf0b352470d89afce682aa0af5bef651c97981fe20507d36127f2fa5f90
SHA256 aee66bf0b352470d89afce682aa0af5bef651c97981fe20507d36127f2fa5f90
Tags
hancitor 2111_7654345 downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aee66bf0b352470d89afce682aa0af5bef651c97981fe20507d36127f2fa5f90

Threat Level: Known bad

The file aee66bf0b352470d89afce682aa0af5bef651c97981fe20507d36127f2fa5f90 was found to be: Known bad.

Malicious Activity Summary

hancitor 2111_7654345 downloader

Process spawned unexpected child process

Hancitor

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-04 15:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-04 15:14

Reported

2022-12-08 08:01

Platform

win7-20220812-en

Max time kernel

43s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WHO_4776889046841393.vbs"

Signatures

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1448 set thread context of 1020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WHO_4776889046841393.vbs"

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\suHlT.txt

C:\Windows\SysWOW64\regsvr32.exe

-s C:\Users\Admin\AppData\Local\Temp\suHlT.txt

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 52.20.78.240:80 api.ipify.org tcp
N/A 8.8.8.8:53 hismosedkaj.com udp
N/A 8.8.8.8:53 consenhary.ru udp
N/A 8.8.8.8:53 prolighmev.ru udp

Files

memory/2008-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\suHlT.txt

MD5 227ddb5f8b75f0c253e466e0752f1d97
SHA1 e5361dbf2218d41e577bfff6355125bdda0c08db
SHA256 f71d14084f5b22dc41223db248a96c27ca54f9ae0582ac9d6dc0a7d2b13728ac
SHA512 108a06fcc33ae5b2a024a84f861f873efbd0cadffa8eddd575e1f3392f2ae2914aef253d3a7b2bfa445c61b83f9ceaf6224880d39c43d3bdfd0b3c5fa9b01d02

memory/1448-56-0x0000000000000000-mapping.dmp

memory/1448-57-0x0000000075D01000-0x0000000075D03000-memory.dmp

\Users\Admin\AppData\Local\Temp\suHlT.txt

MD5 227ddb5f8b75f0c253e466e0752f1d97
SHA1 e5361dbf2218d41e577bfff6355125bdda0c08db
SHA256 f71d14084f5b22dc41223db248a96c27ca54f9ae0582ac9d6dc0a7d2b13728ac
SHA512 108a06fcc33ae5b2a024a84f861f873efbd0cadffa8eddd575e1f3392f2ae2914aef253d3a7b2bfa445c61b83f9ceaf6224880d39c43d3bdfd0b3c5fa9b01d02

memory/1448-59-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1020-60-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1020-62-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1020-63-0x0000000000402960-mapping.dmp

memory/1448-66-0x0000000000130000-0x000000000013C000-memory.dmp

memory/1448-65-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1020-67-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1020-69-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1020-70-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-04 15:14

Reported

2022-12-08 08:01

Platform

win10v2004-20220812-en

Max time kernel

139s

Max time network

164s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WHO_4776889046841393.vbs"

Signatures

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\regsvr32.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4956 set thread context of 4844 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WHO_4776889046841393.vbs"

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\suHlT.txt

C:\Windows\SysWOW64\regsvr32.exe

-s C:\Users\Admin\AppData\Local\Temp\suHlT.txt

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 3.220.57.224:80 api.ipify.org tcp
N/A 52.109.8.44:443 tcp
N/A 93.184.221.240:80 tcp
N/A 51.132.193.104:443 tcp
N/A 40.125.122.151:443 tcp
N/A 3.232.242.170:80 api.ipify.org tcp
N/A 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
N/A 54.91.59.199:80 api.ipify.org tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 8.8.8.8:53 hismosedkaj.com udp
N/A 8.8.8.8:53 consenhary.ru udp
N/A 8.8.8.8:53 prolighmev.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\suHlT.txt

MD5 227ddb5f8b75f0c253e466e0752f1d97
SHA1 e5361dbf2218d41e577bfff6355125bdda0c08db
SHA256 f71d14084f5b22dc41223db248a96c27ca54f9ae0582ac9d6dc0a7d2b13728ac
SHA512 108a06fcc33ae5b2a024a84f861f873efbd0cadffa8eddd575e1f3392f2ae2914aef253d3a7b2bfa445c61b83f9ceaf6224880d39c43d3bdfd0b3c5fa9b01d02

memory/4956-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\suHlT.txt

MD5 227ddb5f8b75f0c253e466e0752f1d97
SHA1 e5361dbf2218d41e577bfff6355125bdda0c08db
SHA256 f71d14084f5b22dc41223db248a96c27ca54f9ae0582ac9d6dc0a7d2b13728ac
SHA512 108a06fcc33ae5b2a024a84f861f873efbd0cadffa8eddd575e1f3392f2ae2914aef253d3a7b2bfa445c61b83f9ceaf6224880d39c43d3bdfd0b3c5fa9b01d02

memory/4956-135-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

memory/4844-136-0x0000000000000000-mapping.dmp

memory/4844-137-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4844-139-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4956-140-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

memory/4956-141-0x0000000001090000-0x000000000109C000-memory.dmp

memory/4844-142-0x0000000000400000-0x0000000000409000-memory.dmp