Analysis
-
max time kernel
0s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 01:03
Behavioral task
behavioral1
Sample
1f0284f54fe0a42692373246b30fe0b5.doc
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1f0284f54fe0a42692373246b30fe0b5.doc
Resource
win10v2004-20231222-en
General
-
Target
1f0284f54fe0a42692373246b30fe0b5.doc
-
Size
950KB
-
MD5
1f0284f54fe0a42692373246b30fe0b5
-
SHA1
9b6b553fdd1df8a20ff97c5fb010b297050d2d00
-
SHA256
ba37749d25d949955d57888559e1e69bc1fa83ab38422b3e9e3fa70b52e567e1
-
SHA512
cdde4fc38bf713cbb1fa0398c33a86d107c64b8d28148d86aff5248448b64c18df3ecd02ba67d2748bb6a1d481324f7fa9b33086dbc2e111bf9b92f2fd476bfc
-
SSDEEP
24576:JEIZ4wA74D4SQKxZcy8gthDWjC4byh3/auWpkE0Wu:J+wJD4QZh/qeGy1aRSE0Wu
Malware Config
Extracted
hancitor
1407_bdgtq
http://wortlybeentax.com/8/forum.php
http://omermancto.ru/8/forum.php
http://metweveer.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4296 2132 rundll32.exe WINWORD.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 api.ipify.org -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WINWORD.EXEpid process 2132 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1f0284f54fe0a42692373246b30fe0b5.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
PID:2132 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3428
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG2⤵
- Process spawned unexpected child process
PID:4296 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG3⤵PID:4040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50b7c6928219eda05ea042c41d551679d
SHA15507fe49a9d82726fe5ce4206d71c19ad65f0eff
SHA25604b3cbf2b5c0a5c1e93aab8719739c31d586d37ea1ff8ed2ac49aa99226005d3
SHA51261914450c8c12fdbad7b381fe23673b6ce5e5f5a141f2ecb36af52cf45edf2e1a7e077742c0e32198aee6d9a3bc07f2c9a6ab5b062d897332267e8a176ce9fc0
-
Filesize
65KB
MD518b779bdfd8cec757976d896c88ef1db
SHA10cb1f54fee9c5f797c0b52ef943ec5417a2eaad7
SHA2567ae33154ac78b75d7feaade4c2e60e281fef9c36524ee57c8a7f3976711df061
SHA512d9ab4f5bcbfe82c4c78a6a0c8e7f485578984d9bfbd157add5deaa40ea31f954a7e0737fd262fd519fd19d53114bd8153b74222932ddcf0f025f2b8fa806a143
-
Filesize
76KB
MD51baff1563115f09747f25f0c98c3d2b1
SHA168fa2171438eaf6322ba5262260afec202cd22bd
SHA256268f880fdcd763f76485d3fe9810b7074f1f07d57bcb851f955655acd197155e
SHA51251b388464c9a00877441fe3dad3c28509d3744ee75419fd7d8df560cd5db8c5fec08418163789cab1e9702b18657991bfb0e77026a4ff033d4300ecbd1db8962