Malware Analysis Report

2024-10-19 02:48

Sample ID 240127-1lex1sefgn
Target 7b5b74ed8ca5f213d111ec2fced1f446
SHA256 797fb35ec5ef998f910b1b488a3a394f0d2921e26f1625cd46bfc294800484a4
Tags
macro macro_on_action hancitor 1908_jkdsf downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

797fb35ec5ef998f910b1b488a3a394f0d2921e26f1625cd46bfc294800484a4

Threat Level: Known bad

The file 7b5b74ed8ca5f213d111ec2fced1f446 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action hancitor 1908_jkdsf downloader

Hancitor

Process spawned unexpected child process

Office macro that triggers on suspicious action

Blocklisted process makes network request

Suspicious Office macro

Loads dropped DLL

Looks up external IP address via web service

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

NTFS ADS

Enumerates system info in registry

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 21:43

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 21:43

Reported

2024-01-27 21:46

Platform

win7-20231129-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7b5b74ed8ca5f213d111ec2fced1f446.doc"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7b5b74ed8ca5f213d111ec2fced1f446.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/640-0-0x000000002FFA1000-0x000000002FFA2000-memory.dmp

memory/640-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/640-2-0x0000000070DAD000-0x0000000070DB8000-memory.dmp

memory/640-6-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-7-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-8-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-10-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-21-0x00000000057A0000-0x00000000058A0000-memory.dmp

memory/640-24-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-25-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-23-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-29-0x00000000057A0000-0x00000000058A0000-memory.dmp

memory/640-30-0x00000000057A0000-0x00000000058A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E049C628.emf

MD5 ebc0f126663622777d5d60b9f1227e31
SHA1 66b370d1ef561e41014651a7a84fecb34b3436a6
SHA256 0e70c20a370e518a45d9be1a791cee6de471cee1414817ade54c69e7d0721795
SHA512 b039f7c0c88e28a948da1cb226e75a9c245ab8557123869adad5be002065a394a73eafa5f6de6233cda1a294ee6d0fc7a99bde8f25cb5e54baf2a2a4592d5cfb

memory/640-48-0x0000000070DAD000-0x0000000070DB8000-memory.dmp

memory/640-49-0x0000000000760000-0x0000000000860000-memory.dmp

memory/640-50-0x00000000057A0000-0x00000000058A0000-memory.dmp

memory/640-51-0x00000000057A0000-0x00000000058A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 21:43

Reported

2024-01-27 21:46

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7b5b74ed8ca5f213d111ec2fced1f446.doc" /o ""

Signatures

Hancitor

downloader hancitor

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{4AE0EB43-42B5-40DA-B282-6E600B655049}\glib.bax:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{4AE0EB43-42B5-40DA-B282-6E600B655049}\jjy.dll:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7b5b74ed8ca5f213d111ec2fced1f446.doc" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,KBLQIJOPAQU

C:\Windows\SYSTEM32\rundll32.exe

rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,KBLQIJOPAQU

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.75:80 api.ipify.org tcp
US 8.8.8.8:53 thookedaurce.com udp
US 8.8.8.8:53 foolockpary.ru udp
US 8.8.8.8:53 usitemithe.ru udp
US 8.8.8.8:53 75.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 thookedaurce.com udp
US 8.8.8.8:53 foolockpary.ru udp
US 8.8.8.8:53 usitemithe.ru udp

Files

memory/3044-0-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-1-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-3-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-2-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-4-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-5-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-6-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-7-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-8-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-10-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-9-0x00007FFE7DCA0000-0x00007FFE7DCB0000-memory.dmp

memory/3044-12-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-11-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-15-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-16-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-14-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-18-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-19-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-20-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-21-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-22-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-17-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-13-0x00007FFE7DCA0000-0x00007FFE7DCB0000-memory.dmp

memory/3044-24-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-36-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-42-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-45-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-49-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-57-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\glib.doc

MD5 b52f61535a31ca4d9faad38b1ccf4582
SHA1 6832e46fe7ec23d40a6b89f92da25a29bbbf0f8e
SHA256 9a05042694202e3197896a8041ba103eb3f6d4c02a4722b62c2b766cde87fd3e
SHA512 a910ff56c3f20456311177fd3db0ec8b2810403c5f6e2f46999cfbbf83b3469808f49fb295cdd13822c85f103b6346981bb681d42a7f637c4e35dcfd18b8beb2

memory/3044-72-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-73-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 8963cb4123157464aa66928b3a910108
SHA1 b9624233909e2bd04742654ba82288ab60528e73
SHA256 59b4b5d813cd6d08d5895317ada4f6e5835286d7ecdf324f142474f34a22c565
SHA512 87799850de5ae1d4f7aca70c22e68f873e6440565895dd7a029b9bde9af6004d09b9338b398aec43c9cc2eb9e78844edf8fde45c2efe8c7d97e8bbb783763f6c

memory/3044-95-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4D14CB7F.emf

MD5 6c83465ae5615219498deb5b90a19636
SHA1 369ccd9f4f41b26b7fc50cc444d76287e9fa2faf
SHA256 28b8a1e363936c69db757f7de3ba245fc423ae10584cf2a97c382a48892d75cd
SHA512 81a32dd2368f8769e74b01a25818b4207c357349d7972f157cce488c93cd0e154b468b285d2c4dae3e469ac2cba6d3cee489cae77f78b32f4ecfd8237bd04d1b

memory/3044-104-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-136-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

\??\c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll

MD5 7a1a46762f221164a02b2f0d8e3af8ae
SHA1 e63dbb954b683977764ad0cf1eaac49ef3e0f03d
SHA256 c040b49ac539248c12f33014e38c6f2bb764dce3c90f4cdaaf42f5e05aacae98
SHA512 6fd6a46ea7cd52afd0a784d29811c405062d13a2b09700938ecb91e1a73516bfd8fe5f5dd4970a5359813a5de94ab7353a8cd77491fd30f43dc42589db48fac0

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\yefff.dll

MD5 28e594119e5081ef5504e241e4c72285
SHA1 794e8eae373570e15b563a0d3ae1ee042a64c313
SHA256 a84ce5f878d308a093823b638d997e9081a4aaae4ed8bfcad3372f99942de223
SHA512 6f91135533ed3e5c2294abcf631cee5e2b2f775b491ed5ca142f290653993edddac471822c4c6d2323ea0babab6dd403b04e06fbe51fbe9111c051f11422c57d

memory/4972-148-0x00000000022D0000-0x00000000023A2000-memory.dmp

memory/3044-149-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-152-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-155-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-160-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-159-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-158-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-161-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-157-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-156-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-154-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-162-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-163-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/4972-166-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/4972-165-0x0000000000960000-0x0000000000968000-memory.dmp

memory/3044-164-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-153-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-151-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-150-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp

memory/3044-167-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-168-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-169-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-175-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/4972-178-0x00000000022D0000-0x00000000023A2000-memory.dmp

memory/3044-179-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-180-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8933E7F6.emf

MD5 ebc0f126663622777d5d60b9f1227e31
SHA1 66b370d1ef561e41014651a7a84fecb34b3436a6
SHA256 0e70c20a370e518a45d9be1a791cee6de471cee1414817ade54c69e7d0721795
SHA512 b039f7c0c88e28a948da1cb226e75a9c245ab8557123869adad5be002065a394a73eafa5f6de6233cda1a294ee6d0fc7a99bde8f25cb5e54baf2a2a4592d5cfb

memory/3044-187-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-189-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/3044-191-0x0000021FB68E0000-0x0000021FB78B0000-memory.dmp

memory/4972-192-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/3044-227-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-228-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-229-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-230-0x00007FFE801B0000-0x00007FFE801C0000-memory.dmp

memory/3044-231-0x00007FFEC0130000-0x00007FFEC0325000-memory.dmp