Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 16:17
Static task
static1
Behavioral task
behavioral1
Sample
cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll
Resource
win10v2004-20220812-en
General
-
Target
cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll
-
Size
389KB
-
MD5
94ae295b4bafe4c8a7a306d6d4567908
-
SHA1
01b6d0c13e17c2d38f2b9642b43d6f0301ad36aa
-
SHA256
cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe
-
SHA512
ef1634ff5657c8ef66992109df2cdcd1ccc37c916eabe34a6c227e9c0f86dc7115f4b5082684c7548966d482ae2cfe90f4183d671a01557aeacc2b179d75ce15
-
SSDEEP
12288:V17lp2D7gWtUSvuWZJk34myr2H/BRGbmaROY:VVSsEk38risLR
Malware Config
Extracted
hancitor
2502_ser3402
http://speritentz.com/8/forum.php
http://afternearde.ru/8/forum.php
http://counivicop.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 29 5080 rundll32.exe 31 5080 rundll32.exe 33 5080 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 5080 rundll32.exe 5080 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1656 wrote to memory of 5080 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 5080 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 5080 1656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5080-132-0x0000000000000000-mapping.dmp
-
memory/5080-133-0x0000000074E70000-0x0000000074E7A000-memory.dmpFilesize
40KB
-
memory/5080-134-0x0000000074E70000-0x0000000074F20000-memory.dmpFilesize
704KB
-
memory/5080-135-0x0000000074E70000-0x0000000074F20000-memory.dmpFilesize
704KB