hancitor | 797fb35ec5ef998f910b1b488a3a394f0d2921e26f1625cd46bfc294800484a4

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b5b74ed8ca5f213d111ec2fced1f446.doc
Size

623KB
MD5

7b5b74ed8ca5f213d111ec2fced1f446
SHA1

ba9a35d82106d6c0ce5c50b4861e20c20cacac42
SHA256

797fb35ec5ef998f910b1b488a3a394f0d2921e26f1625cd46bfc294800484a4
SHA512

4e09f3001c4b8f43f45140e359c61242bd1106bfce527f60813c8a9101213ce0048f3be68d34a3a7289ecd68b900f72c760647b6c702f62c15a580779ea29836
SSDEEP

12288:7V9iQsDr8NJEUYfwg8I3HMzNK3Rb+jC4xU4Wht:7VXkr8NWUYhR3HMBK3RMet

Score

10^/10

hancitor 1908_jkdsf downloader

Malware Config

Extracted

Family

hancitor

Botnet

1908_jkdsf

http://thookedaurce.com/8/forum.php

http://foolockpary.ru/8/forum.php

http://usitemithe.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3056	3044	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

26 4972 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4972 rundll32.exe
4972 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.ipify.org

flow	pid	process
26	4972	rundll32.exe

pid	process
4972	rundll32.exe
4972	rundll32.exe

flow	ioc
25	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4AE0EB43-42B5-40DA-B282-6E600B655049}\glib.bax:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4AE0EB43-42B5-40DA-B282-6E600B655049}\jjy.dll:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3044 WINWORD.EXE
3044 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4972 rundll32.exe
4972 rundll32.exe
4972 rundll32.exe
4972 rundll32.exe

pid	process
4972	rundll32.exe
4972	rundll32.exe
4972	rundll32.exe
4972	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 3044 wrote to memory of 2532	3044	WINWORD.EXE	splwow64.exe
PID 3044 wrote to memory of 2532	3044	WINWORD.EXE	splwow64.exe
PID 3044 wrote to memory of 3056	3044	WINWORD.EXE	rundll32.exe
PID 3044 wrote to memory of 3056	3044	WINWORD.EXE	rundll32.exe
PID 3056 wrote to memory of 4972	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 4972	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 4972	3056	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7b5b74ed8ca5f213d111ec2fced1f446.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2532
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,KBLQIJOPAQU
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3056

C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,KBLQIJOPAQU
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4D14CB7F.emf

Filesize
4KB

MD5
6c83465ae5615219498deb5b90a19636

SHA1
369ccd9f4f41b26b7fc50cc444d76287e9fa2faf

SHA256
28b8a1e363936c69db757f7de3ba245fc423ae10584cf2a97c382a48892d75cd

SHA512
81a32dd2368f8769e74b01a25818b4207c357349d7972f157cce488c93cd0e154b468b285d2c4dae3e469ac2cba6d3cee489cae77f78b32f4ecfd8237bd04d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8933E7F6.emf

Filesize
4KB

MD5
ebc0f126663622777d5d60b9f1227e31

SHA1
66b370d1ef561e41014651a7a84fecb34b3436a6

SHA256
0e70c20a370e518a45d9be1a791cee6de471cee1414817ade54c69e7d0721795

SHA512
b039f7c0c88e28a948da1cb226e75a9c245ab8557123869adad5be002065a394a73eafa5f6de6233cda1a294ee6d0fc7a99bde8f25cb5e54baf2a2a4592d5cfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
8963cb4123157464aa66928b3a910108

SHA1
b9624233909e2bd04742654ba82288ab60528e73

SHA256
59b4b5d813cd6d08d5895317ada4f6e5835286d7ecdf324f142474f34a22c565

SHA512
87799850de5ae1d4f7aca70c22e68f873e6440565895dd7a029b9bde9af6004d09b9338b398aec43c9cc2eb9e78844edf8fde45c2efe8c7d97e8bbb783763f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\glib.doc

Filesize
26KB

MD5
b52f61535a31ca4d9faad38b1ccf4582

SHA1
6832e46fe7ec23d40a6b89f92da25a29bbbf0f8e

SHA256
9a05042694202e3197896a8041ba103eb3f6d4c02a4722b62c2b766cde87fd3e

SHA512
a910ff56c3f20456311177fd3db0ec8b2810403c5f6e2f46999cfbbf83b3469808f49fb295cdd13822c85f103b6346981bb681d42a7f637c4e35dcfd18b8beb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\yefff.dll

Filesize
823KB

MD5
28e594119e5081ef5504e241e4c72285

SHA1
794e8eae373570e15b563a0d3ae1ee042a64c313

SHA256
a84ce5f878d308a093823b638d997e9081a4aaae4ed8bfcad3372f99942de223

SHA512
6f91135533ed3e5c2294abcf631cee5e2b2f775b491ed5ca142f290653993edddac471822c4c6d2323ea0babab6dd403b04e06fbe51fbe9111c051f11422c57d

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll

Filesize
758KB

MD5
7a1a46762f221164a02b2f0d8e3af8ae

SHA1
e63dbb954b683977764ad0cf1eaac49ef3e0f03d

SHA256
c040b49ac539248c12f33014e38c6f2bb764dce3c90f4cdaaf42f5e05aacae98

SHA512
6fd6a46ea7cd52afd0a784d29811c405062d13a2b09700938ecb91e1a73516bfd8fe5f5dd4970a5359813a5de94ab7353a8cd77491fd30f43dc42589db48fac0

Download Submit
memory/3044-104-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-12-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-8-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-10-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-9-0x00007FFE7DCA0000-0x00007FFE7DCB0000-memory.dmp

Filesize
64KB

Download
memory/3044-152-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-11-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-15-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-16-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-155-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-18-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-19-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-20-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-21-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-22-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-17-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-13-0x00007FFE7DCA0000-0x00007FFE7DCB0000-memory.dmp

Filesize
64KB

Download
memory/3044-24-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-36-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-42-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-45-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-49-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-57-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-6-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-72-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-73-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-5-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-95-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-4-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-0-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-136-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-2-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-3-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-231-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-228-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-7-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-14-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-160-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-159-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-158-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-161-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-157-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-156-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-154-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-162-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-163-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-230-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-229-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-164-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-153-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-151-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-150-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-167-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-168-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-169-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-175-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-149-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

Filesize
2.0MB

Download
memory/3044-179-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-180-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-1-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/3044-187-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-189-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-191-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

Filesize
15.8MB

Download
memory/3044-227-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

Filesize
64KB

Download
memory/4972-192-0x00000000024B0000-0x00000000024BA000-memory.dmp

Filesize
40KB

Download
memory/4972-178-0x00000000022D0000-0x00000000023A2000-memory.dmp

Filesize
840KB

Download
memory/4972-165-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/4972-166-0x00000000024B0000-0x00000000024BA000-memory.dmp

Filesize
40KB

Download
memory/4972-148-0x00000000022D0000-0x00000000023A2000-memory.dmp

Filesize
840KB

Download