hancitor | 643aac263025e8b90c9458a56508d49624e504c0dbf20bdc06f7630cf89d9035

Analysis

max time kernel
28s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4302bf2881c2ede737ae438fb4427f01.doc
Size

431KB
MD5

4302bf2881c2ede737ae438fb4427f01
SHA1

a24199b5c55e2b8c35186d9d6189f36d15540bae
SHA256

643aac263025e8b90c9458a56508d49624e504c0dbf20bdc06f7630cf89d9035
SHA512

42c9f44fd937773ba546dfb11cbae0b77aad5615b8f2bb3c92c04cc30567c51f7f19549baa3ad88637808753b39ded6d283e884e1091e9bab4de4f5a93114a8d
SSDEEP

12288:ZV9iQsDr8NqClDfKTFi1w06/vbOes1AOrk4U:ZVXkr8NTNfKB30AOesoT

Score

10^/10

hancitor 3008_hsdj8 downloader

Malware Config

Extracted

Family

hancitor

Botnet

3008_hsdj8

http://buichely.com/8/forum.php

http://gratimen.ru/8/forum.php

http://waliteriter.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	704	1504	rundll32.exe	WINWORD.EXE

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

74 api.ipify.org
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

1504 WINWORD.EXE

flow	ioc
74	api.ipify.org

pid	process
1504	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4302bf2881c2ede737ae438fb4427f01.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:1504
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1244
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,QIHTXYFJRAN
  2⤵
  - Process spawned unexpected child process
  PID:704
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,QIHTXYFJRAN
    3⤵
    PID:3164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D9B7F0BD.emf

Filesize
4KB

MD5
3fac4c2bc0e1df2f9a22e89586420bbf

SHA1
d84959d54a4d8f0e9b4a524df7717f855949abaf

SHA256
1531ad8a66f69bdabe341d23ce2478278044e778c0731e7f1a38eb968aaadc3a

SHA512
78b212c950350aa49b10a058c40eacf505a30aa9789f0039a29cbf0a146fda0585ec161dd9e9cf2ec3bd1b134a200dc356d34596e7a814385c875ac82c86d8f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DAB7879A.emf

Filesize
4KB

MD5
5977f22dbb4b6bc8c6798e3a8c75f5c8

SHA1
19f61da7a6b6d15eaa4b474512cc99f0702e76b1

SHA256
9eee0b9a1660e1fd140def0e4b8a9ab6a08b0cebcb392638dd8b0df970290378

SHA512
f74e7259cf8a9f03061b5d881e01d37cea61520825c663dfd1b45cff032d7b2c6ce36d17a8b9fc17ab0b6be0baee0e0b8a7b3ab8469530c573ee5389c5cc8106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
8963cb4123157464aa66928b3a910108

SHA1
b9624233909e2bd04742654ba82288ab60528e73

SHA256
59b4b5d813cd6d08d5895317ada4f6e5835286d7ecdf324f142474f34a22c565

SHA512
87799850de5ae1d4f7aca70c22e68f873e6440565895dd7a029b9bde9af6004d09b9338b398aec43c9cc2eb9e78844edf8fde45c2efe8c7d97e8bbb783763f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\glib.doc

Filesize
250KB

MD5
4e60aabe27e29e76b4020bcdbc796267

SHA1
fee8b7619fa44dbb36a4b034f7f077969897346b

SHA256
03efbcefa7c95f034a3bfe3d33406f1717977b5bfe53e130d70367f2896032f1

SHA512
cff4d117508427c02bec0d317ebfe4a0b7a08c2e3c0e5bf92bb07e8e4c025a59134f13dc22157b2eee69cecea91ff9eb6f6992166414e2b05c25dabb71c7c1a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\yefff.dll

Filesize
21KB

MD5
469f7b38028e6f0e5237c7748f1ebddf

SHA1
66ee62090fe2181c99bbce48c7afe10befdf0813

SHA256
c07d2438a99b65c9e92ed8848c3070a1cac2d871d71467d2794a3bdc2d54a8a4

SHA512
9204c4a05737f41f56e53461535cb071b8068ffff6e38f3e6c821df0608593c557129d0407598b9e075f191ca65856606e37b75dabfa32f4ff01817b06634546

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll

Filesize
335KB

MD5
9ea5c5e87651e0f447ff1eb8d8029c87

SHA1
b24df6220c5334b16effdc8580bac85444653918

SHA256
c4de3e2af1fa741865c51ff2e151c2e2bee873f77bfce8fc2a2bb2785da6bb32

SHA512
206e1b2f7d454af7bc052c79c7a80459a276c10ec67f0fe39a2ecfa9db35a27d9d6045c66d874cc7fb34688fd8afca1edd331b2e173c403013cce7130bfdd912

Download Submit
memory/1504-114-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-181-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-116-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-9-0x00007FF9D5470000-0x00007FF9D5480000-memory.dmp

Filesize
64KB

Download
memory/1504-10-0x00007FF9D5470000-0x00007FF9D5480000-memory.dmp

Filesize
64KB

Download
memory/1504-26-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-33-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-34-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-47-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-8-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-58-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-59-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-60-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-3-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-87-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-89-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-90-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-6-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-94-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-98-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-99-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-107-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-110-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-5-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-0-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-115-0x000001F638740000-0x000001F639710000-memory.dmp

Filesize
15.8MB

Download
memory/1504-2-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-7-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-175-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-121-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-4-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-123-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-124-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-125-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-126-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-127-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-130-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-1-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-138-0x000001F638740000-0x000001F639710000-memory.dmp

Filesize
15.8MB

Download
memory/1504-139-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-177-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-179-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-180-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-119-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-120-0x000001F631160000-0x000001F632130000-memory.dmp

Filesize
15.8MB

Download
memory/1504-183-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/1504-176-0x00007FF9D7DD0000-0x00007FF9D7DE0000-memory.dmp

Filesize
64KB

Download
memory/1504-182-0x00007FFA17D50000-0x00007FFA17F45000-memory.dmp

Filesize
2.0MB

Download
memory/3164-147-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3164-145-0x00000000753C0000-0x000000007542C000-memory.dmp

Filesize
432KB

Download
memory/3164-141-0x00000000753C0000-0x000000007542C000-memory.dmp

Filesize
432KB

Download
memory/3164-142-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3164-140-0x00000000753C0000-0x000000007542C000-memory.dmp

Filesize
432KB

Download
memory/3164-146-0x00000000753C0000-0x000000007542C000-memory.dmp

Filesize
432KB

Download