Malware Analysis Report

2024-10-19 02:51

Sample ID 230901-msv1xsec2y
Target hacintor
SHA256 990a4cd6dd9575cbd2122f560ff68420c1c9dbfde3c9d6a5181b0f54a7e497cd
Tags
1706_apkreb6 hancitor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

990a4cd6dd9575cbd2122f560ff68420c1c9dbfde3c9d6a5181b0f54a7e497cd

Threat Level: Known bad

The file hacintor was found to be: Known bad.

Malicious Activity Summary

1706_apkreb6 hancitor

Hancitor family

Blocklisted process makes network request

Looks up external IP address via web service

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-01 10:44

Signatures

Hancitor family

hancitor

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-01 10:44

Reported

2023-09-01 10:46

Platform

win10v2004-20230831-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 3260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3228 wrote to memory of 3260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3228 wrote to memory of 3260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:80 api.ipify.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 thestaccultur.com udp
US 8.8.8.8:53 arguendinfuld.ru udp
US 8.8.8.8:53 waxotheousch.ru udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 thestaccultur.com udp
US 8.8.8.8:53 arguendinfuld.ru udp
US 8.8.8.8:53 waxotheousch.ru udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-01 10:44

Reported

2023-09-01 10:46

Platform

win7-20230831-en

Max time kernel

129s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.76:80 api.ipify.org tcp
US 8.8.8.8:53 thestaccultur.com udp
US 8.8.8.8:53 arguendinfuld.ru udp
US 8.8.8.8:53 waxotheousch.ru udp

Files

N/A