Malware Analysis Report

2024-10-19 02:46

Sample ID 240107-dafc3schfp
Target 840000.dll
SHA256 9a6b2a199af672934bc1de34dd9c668bbe5106c3d6e4889cf2c8170ad4f9d2f6
Tags
1101_jh372 hancitor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a6b2a199af672934bc1de34dd9c668bbe5106c3d6e4889cf2c8170ad4f9d2f6

Threat Level: Known bad

The file 840000.dll was found to be: Known bad.

Malicious Activity Summary

1101_jh372 hancitor

Hancitor family

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-07 02:48

Signatures

Hancitor family

hancitor

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 02:48

Reported

2024-01-07 02:52

Platform

win10-20231215-en

Max time kernel

193s

Max time network

205s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\840000.dll

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2808 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2808 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\840000.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\840000.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.4.5.3.e.0.0.2.0.0.0.6.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

N/A