Malware Analysis Report

2024-10-19 02:46

Sample ID 231219-xzwk5sdeh2
Target 81c4485a834880c3becd7e3eefd841a3
SHA256 87df253ffe9d319d5a315b3361a1d13553c3bc4bf233e5c93a8624b5993f4abe
Tags
macro macro_on_action hancitor 0710_pkrdv downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87df253ffe9d319d5a315b3361a1d13553c3bc4bf233e5c93a8624b5993f4abe

Threat Level: Known bad

The file 81c4485a834880c3becd7e3eefd841a3 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action hancitor 0710_pkrdv downloader

Hancitor

Process spawned unexpected child process

Office macro that triggers on suspicious action

Blocklisted process makes network request

Suspicious Office macro

Loads dropped DLL

Looks up external IP address via web service

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Uses Volume Shadow Copy WMI provider

Modifies registry class

Modifies Internet Explorer settings

Enumerates system info in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 19:18

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 19:17

Reported

2023-12-20 06:26

Platform

win7-20231215-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\81c4485a834880c3becd7e3eefd841a3.doc"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\81c4485a834880c3becd7e3eefd841a3.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1180-0-0x000000002F661000-0x000000002F662000-memory.dmp

memory/1180-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1180-2-0x0000000070E3D000-0x0000000070E48000-memory.dmp

memory/1180-6-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-7-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-8-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-9-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-10-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-14-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-15-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-13-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-12-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-11-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-16-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-35-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-37-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-39-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-38-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-36-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-40-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-41-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-42-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-44-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-45-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-43-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-46-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-47-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-48-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-51-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-56-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-62-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-63-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-64-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-65-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-66-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-70-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-72-0x0000000070E3D000-0x0000000070E48000-memory.dmp

memory/1180-73-0x0000000006660000-0x0000000006760000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B250B33.emf

MD5 0d086ac2dd40e23a8b5e5a45857436b6
SHA1 7ecde15ab361d7543199e009199b050175bd7c15
SHA256 034db7e2f2dd149beb63e78cc4eb210e6e5a2a85ab98858537ce5fa572c20b03
SHA512 20648e8a408dceaa571b099471f102754a9d5c9455453ae82b54bb7571626960a9ec030ab6f0c27c6b09603e61293f080491ef7ffb77ff5128b45a07ce0f632a

memory/1180-85-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-86-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-87-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-88-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-89-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1180-90-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-91-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-92-0x0000000006660000-0x0000000006760000-memory.dmp

memory/1180-93-0x0000000006660000-0x0000000006760000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 19:17

Reported

2023-12-20 06:26

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\81c4485a834880c3becd7e3eefd841a3.doc" /o ""

Signatures

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{BC573474-A67D-4062-A552-68857CBE9E64}\zoro.kl:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{BC573474-A67D-4062-A552-68857CBE9E64}\gelfor.dap:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\81c4485a834880c3becd7e3eefd841a3.doc" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,CBVBXIFEAWN

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,CBVBXIFEAWN

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:80 api.ipify.org tcp
US 8.8.8.8:53 strictence.com udp
US 8.8.8.8:53 wimberels.ru udp
US 8.8.8.8:53 cithernista.ru udp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/1124-0-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-3-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-2-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-1-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-5-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-4-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-7-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-8-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-6-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-9-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-10-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-11-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-12-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-13-0x00007FF982D10000-0x00007FF982D20000-memory.dmp

memory/1124-14-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-15-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-16-0x00007FF982D10000-0x00007FF982D20000-memory.dmp

memory/1124-17-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-18-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-19-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-20-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-21-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-22-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-23-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-41-0x0000022037660000-0x0000022038630000-memory.dmp

memory/1124-66-0x00000220342F0000-0x0000022034AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\zoro.doc

MD5 a9f3f37f2b708c5bf3939fe5171ff5e9
SHA1 fb217ca0f6a0bf004c9a4eaf4ffe789556aebf81
SHA256 32b025ef95aee1a9a2a24a7df37a833431d6331b442bb5cb7e86499e4e5c51ea
SHA512 596eae8125a8530d0629e6d371abbef6af5b388d60be999cb1bd86343b0f15846a462d548af27679d73f7fccafdf080a5ebcd9559e83029d427b7493ffc98b78

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 f5310e4d57eb4bfd0514b4070f46def9
SHA1 69392ae127b33f86e844982957a6d761d5368603
SHA256 2c8c3924add47db70a6449b6b493f71f6d045b7cb156bd2112a67724e5fad50c
SHA512 489cc600baa5d96584c1f40cc9eac34138543ed1325c7b109523cbd1028a880cddbc6c49ce089c961d157890a50c1761436facf83c46d87cbf21ca1ebbb54726

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\52C9168.emf

MD5 4fdbdbea9a28741ed9f8094f6ec88cd8
SHA1 044ae1449f0c7802273d050e836255c3d39cc2e8
SHA256 59388fdf2fd0cf29043059eac189ab2832f8fff5bb4f6f974456ea37ca61f9e4
SHA512 a24fc69f35d474feeab212315c9414d52b36e3b661eaab80970b64540cdff6ca536297b872c7d8d6ebef5491048f2592b43aa1637f7b999ac32220b39f61619f

\??\c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap

MD5 bbd29e739b97fe15d72d58471019e7eb
SHA1 d0557e06b22ee0706ece4cc7559136da70267006
SHA256 ede4c71a7d7a09d4da1860cbfec4a0a02104b510eb359883e3276a018f39ead8
SHA512 c9e658549939bde3817c1f0c06c1dbe0e6b9fb75799e5d95d62c046416dd5b21bf05721c4cac871a5f2e685a2e7556ec48988f6cbbe44e8278fce8a9f595e69c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B9674C43.emf

MD5 0d086ac2dd40e23a8b5e5a45857436b6
SHA1 7ecde15ab361d7543199e009199b050175bd7c15
SHA256 034db7e2f2dd149beb63e78cc4eb210e6e5a2a85ab98858537ce5fa572c20b03
SHA512 20648e8a408dceaa571b099471f102754a9d5c9455453ae82b54bb7571626960a9ec030ab6f0c27c6b09603e61293f080491ef7ffb77ff5128b45a07ce0f632a

memory/1124-174-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-176-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-177-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-178-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-179-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-180-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-181-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-182-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-183-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-184-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-185-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-186-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-187-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp

memory/1124-188-0x0000022037660000-0x0000022038630000-memory.dmp

memory/1124-189-0x00000220342F0000-0x0000022034AF0000-memory.dmp

memory/2388-190-0x0000000074880000-0x0000000074983000-memory.dmp

memory/2388-191-0x0000000074880000-0x0000000074983000-memory.dmp

memory/2388-192-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2388-193-0x0000000074880000-0x0000000074983000-memory.dmp

memory/2388-196-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/1124-226-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-227-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-228-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-229-0x00007FF985570000-0x00007FF985580000-memory.dmp

memory/1124-230-0x00007FF9C54F0000-0x00007FF9C56E5000-memory.dmp