Overview

overview

10

Static

static

cc05fdddc2...fe.dll

windows7-x64

10

cc05fdddc2...fe.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll

  • Size

    389KB

  • MD5

    94ae295b4bafe4c8a7a306d6d4567908

  • SHA1

    01b6d0c13e17c2d38f2b9642b43d6f0301ad36aa

  • SHA256

    cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe

  • SHA512

    ef1634ff5657c8ef66992109df2cdcd1ccc37c916eabe34a6c227e9c0f86dc7115f4b5082684c7548966d482ae2cfe90f4183d671a01557aeacc2b179d75ce15

  • SSDEEP

    12288:V17lp2D7gWtUSvuWZJk34myr2H/BRGbmaROY:VVSsEk38risLR

Score
10/10
hancitor2502_ser3402downloader

Malware Config

Extracted

Family

hancitor

Botnet

2502_ser3402

C2

http://speritentz.com/8/forum.php

http://afternearde.ru/8/forum.php

http://counivicop.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Blocklisted process makes network request 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc05fdddc218cdce0168c8f8b419e1e0e4cc1bb7a82c0b62287cfe9823f60efe.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:5080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/5080-133-0x0000000074E70000-0x0000000074E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5080-134-0x0000000074E70000-0x0000000074F20000-memory.dmp

    Filesize

    704KB

    Download

  • memory/5080-135-0x0000000074E70000-0x0000000074F20000-memory.dmp

    Filesize

    704KB

    Download