Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 19:17
Behavioral task
behavioral1
Sample
81c4485a834880c3becd7e3eefd841a3.doc
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
81c4485a834880c3becd7e3eefd841a3.doc
Resource
win10v2004-20231215-en
General
-
Target
81c4485a834880c3becd7e3eefd841a3.doc
-
Size
850KB
-
MD5
81c4485a834880c3becd7e3eefd841a3
-
SHA1
a1d76eaf5c4f787fc34528e46dc9cda5d9d5ea28
-
SHA256
87df253ffe9d319d5a315b3361a1d13553c3bc4bf233e5c93a8624b5993f4abe
-
SHA512
09076ecc53e4ad0d27c783918ca6c74dbf81cdb11c47c232afe8044e372aeb4920a488e1320c0cad9267d2fb747e2dc3e9e7c265021bba6b3dbec14daffe104f
-
SSDEEP
12288:OB+jxjYxBs/RPYdf2aCQeg1Mfpfm6ukJm9voPZqXStgi2Tz:OSjeG/usvQFMfQmJmVsZ/C/
Malware Config
Extracted
hancitor
0710_pkrdv
http://strictence.com/8/forum.php
http://wimberels.ru/8/forum.php
http://cithernista.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1480 1124 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 56 2388 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2388 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 55 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
NTFS ADS 2 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{BC573474-A67D-4062-A552-68857CBE9E64}\zoro.kl:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{BC573474-A67D-4062-A552-68857CBE9E64}\gelfor.dap:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1124 WINWORD.EXE 1124 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2388 rundll32.exe 2388 rundll32.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 1124 wrote to memory of 4860 1124 WINWORD.EXE splwow64.exe PID 1124 wrote to memory of 4860 1124 WINWORD.EXE splwow64.exe PID 1124 wrote to memory of 1480 1124 WINWORD.EXE rundll32.exe PID 1124 wrote to memory of 1480 1124 WINWORD.EXE rundll32.exe PID 1480 wrote to memory of 2388 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 2388 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 2388 1480 rundll32.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\81c4485a834880c3becd7e3eefd841a3.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4860
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,CBVBXIFEAWN2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,CBVBXIFEAWN3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD54fdbdbea9a28741ed9f8094f6ec88cd8
SHA1044ae1449f0c7802273d050e836255c3d39cc2e8
SHA25659388fdf2fd0cf29043059eac189ab2832f8fff5bb4f6f974456ea37ca61f9e4
SHA512a24fc69f35d474feeab212315c9414d52b36e3b661eaab80970b64540cdff6ca536297b872c7d8d6ebef5491048f2592b43aa1637f7b999ac32220b39f61619f
-
Filesize
4KB
MD50d086ac2dd40e23a8b5e5a45857436b6
SHA17ecde15ab361d7543199e009199b050175bd7c15
SHA256034db7e2f2dd149beb63e78cc4eb210e6e5a2a85ab98858537ce5fa572c20b03
SHA51220648e8a408dceaa571b099471f102754a9d5c9455453ae82b54bb7571626960a9ec030ab6f0c27c6b09603e61293f080491ef7ffb77ff5128b45a07ce0f632a
-
Filesize
241B
MD5f5310e4d57eb4bfd0514b4070f46def9
SHA169392ae127b33f86e844982957a6d761d5368603
SHA2562c8c3924add47db70a6449b6b493f71f6d045b7cb156bd2112a67724e5fad50c
SHA512489cc600baa5d96584c1f40cc9eac34138543ed1325c7b109523cbd1028a880cddbc6c49ce089c961d157890a50c1761436facf83c46d87cbf21ca1ebbb54726
-
Filesize
242KB
MD5a9f3f37f2b708c5bf3939fe5171ff5e9
SHA1fb217ca0f6a0bf004c9a4eaf4ffe789556aebf81
SHA25632b025ef95aee1a9a2a24a7df37a833431d6331b442bb5cb7e86499e4e5c51ea
SHA512596eae8125a8530d0629e6d371abbef6af5b388d60be999cb1bd86343b0f15846a462d548af27679d73f7fccafdf080a5ebcd9559e83029d427b7493ffc98b78
-
Filesize
379KB
MD5bbd29e739b97fe15d72d58471019e7eb
SHA1d0557e06b22ee0706ece4cc7559136da70267006
SHA256ede4c71a7d7a09d4da1860cbfec4a0a02104b510eb359883e3276a018f39ead8
SHA512c9e658549939bde3817c1f0c06c1dbe0e6b9fb75799e5d95d62c046416dd5b21bf05721c4cac871a5f2e685a2e7556ec48988f6cbbe44e8278fce8a9f595e69c