hancitor | 1daf0bbe815341fd6e81fcf7685c519e25a70f29bab084d7f9e5cdb335622081

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01b4c1b05cda2b5f8683735cfd3169d6.doc
Size

431KB
MD5

01b4c1b05cda2b5f8683735cfd3169d6
SHA1

1fd8b0546820602d93b2f66abd6214ebe6b1dd17
SHA256

1daf0bbe815341fd6e81fcf7685c519e25a70f29bab084d7f9e5cdb335622081
SHA512

debd6396319466fac726ba9214129526e316876e7d6ca7b0335ed08c59d03ef1fad85fc9ad9a8ec98ea3a3b31d88b920953c1e43215426604ee4d03e3666e361
SSDEEP

12288:4V9iQsDr8NnClDfKTFi1w06/vbOes1AOrk4P:4VXkr8NCNfKB30AOesoI

Score

10^/10

hancitor 3008_hsdj8 downloader

Malware Config

Extracted

Family

hancitor

Botnet

3008_hsdj8

http://buichely.com/8/forum.php

http://gratimen.ru/8/forum.php

http://waliteriter.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1048	2056	rundll32.exe	21

Blocklisted process makes network request 1 IoCs

flow	pid	Process
41	4004	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4004	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{7EB183B6-C547-4D5F-9000-A146636D77D4}\glib.bax:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{7EB183B6-C547-4D5F-9000-A146636D77D4}\jjy.dll:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2056	WINWORD.EXE
2056	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4004	rundll32.exe
4004	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 4724	2056	WINWORD.EXE	94
PID 2056 wrote to memory of 4724	2056	WINWORD.EXE	94
PID 2056 wrote to memory of 1048	2056	WINWORD.EXE	98
PID 2056 wrote to memory of 1048	2056	WINWORD.EXE	98
PID 1048 wrote to memory of 4004	1048	rundll32.exe	97
PID 1048 wrote to memory of 4004	1048	rundll32.exe	97
PID 1048 wrote to memory of 4004	1048	rundll32.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01b4c1b05cda2b5f8683735cfd3169d6.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4724
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,QIHTXYFJRAN
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1048

C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,QIHTXYFJRAN
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3EE92999.emf

Filesize
4KB

MD5
5977f22dbb4b6bc8c6798e3a8c75f5c8

SHA1
19f61da7a6b6d15eaa4b474512cc99f0702e76b1

SHA256
9eee0b9a1660e1fd140def0e4b8a9ab6a08b0cebcb392638dd8b0df970290378

SHA512
f74e7259cf8a9f03061b5d881e01d37cea61520825c663dfd1b45cff032d7b2c6ce36d17a8b9fc17ab0b6be0baee0e0b8a7b3ab8469530c573ee5389c5cc8106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C4B941F8.emf

Filesize
4KB

MD5
3fac4c2bc0e1df2f9a22e89586420bbf

SHA1
d84959d54a4d8f0e9b4a524df7717f855949abaf

SHA256
1531ad8a66f69bdabe341d23ce2478278044e778c0731e7f1a38eb968aaadc3a

SHA512
78b212c950350aa49b10a058c40eacf505a30aa9789f0039a29cbf0a146fda0585ec161dd9e9cf2ec3bd1b134a200dc356d34596e7a814385c875ac82c86d8f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
8963cb4123157464aa66928b3a910108

SHA1
b9624233909e2bd04742654ba82288ab60528e73

SHA256
59b4b5d813cd6d08d5895317ada4f6e5835286d7ecdf324f142474f34a22c565

SHA512
87799850de5ae1d4f7aca70c22e68f873e6440565895dd7a029b9bde9af6004d09b9338b398aec43c9cc2eb9e78844edf8fde45c2efe8c7d97e8bbb783763f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\glib.doc

Filesize
250KB

MD5
4e60aabe27e29e76b4020bcdbc796267

SHA1
fee8b7619fa44dbb36a4b034f7f077969897346b

SHA256
03efbcefa7c95f034a3bfe3d33406f1717977b5bfe53e130d70367f2896032f1

SHA512
cff4d117508427c02bec0d317ebfe4a0b7a08c2e3c0e5bf92bb07e8e4c025a59134f13dc22157b2eee69cecea91ff9eb6f6992166414e2b05c25dabb71c7c1a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\yefff.dll

Filesize
47KB

MD5
d1d83209fd6086fd6d184723bbb1ec2d

SHA1
00d587c4c6992dc2314361f2f9214af244b6061e

SHA256
3be5e2f484e6be59c1c0b6c4f107b6d4477a031e1fba93edcf839531c542b280

SHA512
1bcbef775cbd2eed0fe22ba9d1d51ebcea2c91cd4d47aec078a4ead97f970a09c077a56b9b30e8720eb41258091418ebff859f3e357f4f5ab431ada336c6dcdb

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll

Filesize
110KB

MD5
43a09d519c944a9bd5fa447b1536f126

SHA1
ea4540a102a1718f30bc9dff8b1e33ea7c255e6f

SHA256
db57e46c2e92b4f4169acb4227c23f22ad8467a159c8b660b402f2ef7cb58d34

SHA512
055c8d59a09904a542b69ed7122341c3f8ea895df12cd382cade86b67c968b72b64bb126fa5aea76810ab375773a5e78e72acc1407d33cacad6920ee23ef626b

Download Submit
memory/2056-55-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-141-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-9-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-8-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-13-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-14-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-12-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-15-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-11-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-10-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-16-0x00007FFAC1500000-0x00007FFAC1510000-memory.dmp

Filesize
64KB

Download
memory/2056-17-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-18-0x00007FFAC1500000-0x00007FFAC1510000-memory.dmp

Filesize
64KB

Download
memory/2056-26-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-35-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-36-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-53-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-5-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-54-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-0-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-63-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-6-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-3-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-4-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-2-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-7-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-144-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-145-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-1-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-153-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-154-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-155-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-156-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-157-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-158-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-159-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-205-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-203-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-204-0x00007FFB039B0000-0x00007FFB03BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-202-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-164-0x0000028554320000-0x00000285552F0000-memory.dmp

Filesize
15.8MB

Download
memory/2056-201-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-199-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/2056-200-0x00007FFAC3A30000-0x00007FFAC3A40000-memory.dmp

Filesize
64KB

Download
memory/4004-166-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4004-163-0x00000000748D0000-0x000000007493C000-memory.dmp

Filesize
432KB

Download
memory/4004-160-0x00000000748D0000-0x000000007493C000-memory.dmp

Filesize
432KB

Download
memory/4004-161-0x00000000748D0000-0x000000007493C000-memory.dmp

Filesize
432KB

Download
memory/4004-162-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download