hancitor | ba37749d25d949955d57888559e1e69bc1fa83ab38422b3e9e3fa70b52e567e1

Analysis

max time kernel
168s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0284f54fe0a42692373246b30fe0b5.doc
Size

950KB
MD5

1f0284f54fe0a42692373246b30fe0b5
SHA1

9b6b553fdd1df8a20ff97c5fb010b297050d2d00
SHA256

ba37749d25d949955d57888559e1e69bc1fa83ab38422b3e9e3fa70b52e567e1
SHA512

cdde4fc38bf713cbb1fa0398c33a86d107c64b8d28148d86aff5248448b64c18df3ecd02ba67d2748bb6a1d481324f7fa9b33086dbc2e111bf9b92f2fd476bfc
SSDEEP

24576:JEIZ4wA74D4SQKxZcy8gthDWjC4byh3/auWpkE0Wu:J+wJD4QZh/qeGy1aRSE0Wu

Score

10^/10

hancitor 1407_bdgtq downloader

Malware Config

Extracted

Family

hancitor

Botnet

1407_bdgtq

http://wortlybeentax.com/8/forum.php

http://omermancto.ru/8/forum.php

http://metweveer.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2228	2400	rundll32.exe	89

Blocklisted process makes network request 1 IoCs

flow	pid	Process
65	1700	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1700	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{F5EA0FD5-4F76-487A-BF20-09FDACAD1757}\ter.dll:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2400	WINWORD.EXE
2400	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1700	rundll32.exe
1700	rundll32.exe
1700	rundll32.exe
1700	rundll32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2952	2400	WINWORD.EXE	94
PID 2400 wrote to memory of 2952	2400	WINWORD.EXE	94
PID 2400 wrote to memory of 2228	2400	WINWORD.EXE	97
PID 2400 wrote to memory of 2228	2400	WINWORD.EXE	97
PID 2228 wrote to memory of 1700	2228	rundll32.exe	98
PID 2228 wrote to memory of 1700	2228	rundll32.exe	98
PID 2228 wrote to memory of 1700	2228	rundll32.exe	98

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1f0284f54fe0a42692373246b30fe0b5.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2952
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,HEEPUBQQNOG
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1B6B16C4.emf

Filesize
4KB

MD5
0b7c6928219eda05ea042c41d551679d

SHA1
5507fe49a9d82726fe5ce4206d71c19ad65f0eff

SHA256
04b3cbf2b5c0a5c1e93aab8719739c31d586d37ea1ff8ed2ac49aa99226005d3

SHA512
61914450c8c12fdbad7b381fe23673b6ce5e5f5a141f2ecb36af52cf45edf2e1a7e077742c0e32198aee6d9a3bc07f2c9a6ab5b062d897332267e8a176ce9fc0

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\ier.dll

Filesize
339KB

MD5
6e88693460e858812f76724c2aaf0b02

SHA1
001b2c586c9c0f98ae9a4da3e278345827e9d66a

SHA256
0f4ef8429d2627c474a3e593a6ebee7d3ab57ccd1db13be8539ae170479dfa79

SHA512
e82d639de5681f677603e9c3555b8057c852eabea7e07533eb0a4e4f77a1761df8f48605a7078de8c26c075ca67a53c17dadfb1cd3af1aa49fa860ac936f699d

Download Submit
memory/1700-97-0x0000000074FC0000-0x00000000750AE000-memory.dmp

Filesize
952KB

Download
memory/1700-92-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1700-91-0x0000000074FC0000-0x00000000750AE000-memory.dmp

Filesize
952KB

Download
memory/2400-14-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-131-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-8-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-6-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-9-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-10-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-11-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-12-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-0-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-15-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-13-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-16-0x00007FFF56140000-0x00007FFF56150000-memory.dmp

Filesize
64KB

Download
memory/2400-17-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-18-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-5-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-20-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-21-0x00007FFF56140000-0x00007FFF56150000-memory.dmp

Filesize
64KB

Download
memory/2400-40-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-47-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-52-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-53-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-64-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-19-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-7-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-89-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-71-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-4-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-78-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-80-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-79-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-82-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-88-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-70-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-90-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-2-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-3-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-93-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-94-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-95-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-96-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-1-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-98-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-68-0x000001CA8CFC0000-0x000001CA8DF90000-memory.dmp

Filesize
15.8MB

Download
memory/2400-133-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-134-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-132-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download
memory/2400-135-0x00007FFF989F0000-0x00007FFF98BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2400-130-0x00007FFF58A70000-0x00007FFF58A80000-memory.dmp

Filesize
64KB

Download