hancitor | 61087666bed01cbb77395f6ed60b48f5d45211e42c2eaf2bd51514cb736963a7

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download(1).doc
Size

1.3MB
MD5

14f4c470c207e22c3b0a4efa7b4200e8
SHA1

21180195396580a9ade32b589490cf3bc94d3b5b
SHA256

0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec
SHA512

4adc4275a9105bf94bdce4b9d5821026d99a4adf16579b1b2b23495efbd55cc7bc90a129248a9902c7c75828eac9ac665c8a34c203b428748d9f7b8a80b76823
SSDEEP

24576:nEIjrPUaphvGvGUZ93/semhXp7AsWIKHaY8k5faaboEy6r8zz1:n/jhvGvGU93097AFIKbv0WY/1

Score

10^/10

hancitor 2405_pin43 downloader

Malware Config

Extracted

Family

hancitor

Botnet

2405_pin43

http://thowerteigime.com/8/forum.php

http://euvereginumet.ru/8/forum.php

http://rhopulforopme.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4324	1252	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

54 3676 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3676 rundll32.exe
3676 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

53 api.ipify.org

flow	pid	process
54	3676	rundll32.exe

pid	process
3676	rundll32.exe
3676	rundll32.exe

flow	ioc
53	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{BA864B45-5605-4345-8844-F3FA396D822A}\jax.k:Zone.Identifier	WINWORD.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4328 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1252 WINWORD.EXE
1252 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3676 rundll32.exe
3676 rundll32.exe

pid	process
4328	NOTEPAD.EXE

pid	process
3676	rundll32.exe
3676	rundll32.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

WINWORD.EXEOpenWith.exe

pid	process
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe
2492	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WINWORD.EXErundll32.exeOpenWith.exe

description	pid	process	target process
PID 1252 wrote to memory of 436	1252	WINWORD.EXE	splwow64.exe
PID 1252 wrote to memory of 436	1252	WINWORD.EXE	splwow64.exe
PID 1252 wrote to memory of 4324	1252	WINWORD.EXE	rundll32.exe
PID 1252 wrote to memory of 4324	1252	WINWORD.EXE	rundll32.exe
PID 4324 wrote to memory of 3676	4324	rundll32.exe	rundll32.exe
PID 4324 wrote to memory of 3676	4324	rundll32.exe	rundll32.exe
PID 4324 wrote to memory of 3676	4324	rundll32.exe	rundll32.exe
PID 2492 wrote to memory of 4328	2492	OpenWith.exe	NOTEPAD.EXE
PID 2492 wrote to memory of 4328	2492	OpenWith.exe	NOTEPAD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\download(1).doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:436
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32.exe c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ket.t
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\79C4697E.emf

Filesize
4KB

MD5
511ef60e1f58994de2f954faece5383f

SHA1
f0e2e52ad5b55758760ea475892ebf3c9085d333

SHA256
5f9b76346c88e6aa464b68e994dd0f9edd321c40b7937233c589ec8751f4fb97

SHA512
22145223b60c2dddfe8fe4f835f68b460dfaaaf85dff4274a43389ed5bf23187ff5cd118abe7fe4a893a381a6f82a4c00acf38d8053326916d4fb0654a79de36

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t

Filesize
704KB

MD5
9dc6f214fc82d637de2f68f3c519d339

SHA1
aaa425f7377d405bea59b8adfb65afc0c8869886

SHA256
2a8b737a4752060a308c4312b7c0cf6c05cde5b370906286dea9cdd36f5aa613

SHA512
5cb0a6f3ab48e5127d5c9f638c035dd4b3a97f3eb31334d5bc3eeafc164b31540fea65d6e40abfac8566676c43e954f567dbc2af81a629b4059af7e466d75bef

Download Submit
memory/1252-58-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-51-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-3-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-6-0x00007FFC86B30000-0x00007FFC86B40000-memory.dmp

Filesize
64KB

Download
memory/1252-5-0x00007FFC86B30000-0x00007FFC86B40000-memory.dmp

Filesize
64KB

Download
memory/1252-7-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-8-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-9-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-10-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-11-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-12-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-13-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-14-0x00007FFC84470000-0x00007FFC84480000-memory.dmp

Filesize
64KB

Download
memory/1252-15-0x00007FFC84470000-0x00007FFC84480000-memory.dmp

Filesize
64KB

Download
memory/1252-30-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-35-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-0-0x00007FFC86B30000-0x00007FFC86B40000-memory.dmp

Filesize
64KB

Download
memory/1252-47-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-49-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-102-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-56-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-57-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-77-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-4-0x00007FFC86B30000-0x00007FFC86B40000-memory.dmp

Filesize
64KB

Download
memory/1252-41-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-81-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-2-0x00007FFC86B30000-0x00007FFC86B40000-memory.dmp

Filesize
64KB

Download
memory/1252-82-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-59-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-86-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-107-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-90-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-1-0x00007FFCC6AB0000-0x00007FFCC6CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1252-96-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-106-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-98-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-99-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/1252-103-0x000001F8D2330000-0x000001F8D3300000-memory.dmp

Filesize
15.8MB

Download
memory/3676-112-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/3676-101-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/3676-104-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/3676-105-0x0000000000A80000-0x0000000000B34000-memory.dmp

Filesize
720KB

Download
memory/3676-97-0x0000000000A80000-0x0000000000B34000-memory.dmp

Filesize
720KB

Download
memory/3676-87-0x0000000000A80000-0x0000000000B34000-memory.dmp

Filesize
720KB

Download
memory/3676-85-0x0000000000A80000-0x0000000000B34000-memory.dmp

Filesize
720KB

Download
memory/3676-114-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download