Analysis
-
max time kernel
157s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 16:17
Static task
static1
Behavioral task
behavioral1
Sample
ead01441d35aeba42fd9b1d302a45b20cd6482ec5d39b02f1bffb265ee85702a.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ead01441d35aeba42fd9b1d302a45b20cd6482ec5d39b02f1bffb265ee85702a.dll
Resource
win10v2004-20221111-en
General
-
Target
ead01441d35aeba42fd9b1d302a45b20cd6482ec5d39b02f1bffb265ee85702a.dll
-
Size
389KB
-
MD5
692761c6b17324c796a10e3942ed49cc
-
SHA1
804be5f7628922bb1f22d7accde22fba7e497568
-
SHA256
ead01441d35aeba42fd9b1d302a45b20cd6482ec5d39b02f1bffb265ee85702a
-
SHA512
dd4682e9f795e6a015acfacd8cd1b2fefde73755c89c8052d2065d3daf7d461141343aedd0b32eeffa2adc3bedb05defbad6236ca8165916178ee8a15b04016f
-
SSDEEP
12288:V17lp2D7gWtUSvuWZJ634myr2H/BRGbmaROt:VVSsE638risLR
Malware Config
Extracted
hancitor
2502_ser3402
http://speritentz.com/8/forum.php
http://afternearde.ru/8/forum.php
http://counivicop.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid Process 9 1460 rundll32.exe 23 1460 rundll32.exe 27 1460 rundll32.exe 33 1460 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid Process 1460 rundll32.exe 1460 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 4924 wrote to memory of 1460 4924 rundll32.exe 80 PID 4924 wrote to memory of 1460 4924 rundll32.exe 80 PID 4924 wrote to memory of 1460 4924 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ead01441d35aeba42fd9b1d302a45b20cd6482ec5d39b02f1bffb265ee85702a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ead01441d35aeba42fd9b1d302a45b20cd6482ec5d39b02f1bffb265ee85702a.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1460
-