Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 17:29
Behavioral task
behavioral1
Sample
877860610fc42b1b257a6190a8c83b11.doc
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
877860610fc42b1b257a6190a8c83b11.doc
Resource
win10v2004-20231215-en
General
-
Target
877860610fc42b1b257a6190a8c83b11.doc
-
Size
612KB
-
MD5
877860610fc42b1b257a6190a8c83b11
-
SHA1
ce480630cfd1bf1249ba3921ccec1039ddfa69cc
-
SHA256
f9fdb0d3bdfc7e5305bc9444c832a8900a77006ff54a2660c973fec4afa4ab60
-
SHA512
ff1ce342d826ad1f35446265b8dd491c388207b2eaa739b8d8ec7089a9571f0af1ff816b954681ca78bb490cf93e68a7075074645f9c52ada1bce46e2e59c255
-
SSDEEP
12288:sV9iQsDr8NVeCz3DFw7m/kdxoF3aHUp6BvNoywaMFsZjjotAd5Rs+:sVXkr8N4Cz6voFqDisSID
Malware Config
Extracted
hancitor
1808_plfr
http://madmilons.com/8/forum.php
http://counteent.ru/8/forum.php
http://simatereare.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1928 4508 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 22 3380 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3380 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 2 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{F052CA87-8DFD-46DD-8B88-28220C7CADF2}\glib.bax:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{F052CA87-8DFD-46DD-8B88-28220C7CADF2}\jjy.dll:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4508 WINWORD.EXE 4508 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3380 rundll32.exe 3380 rundll32.exe 3380 rundll32.exe 3380 rundll32.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE 4508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 4508 wrote to memory of 4436 4508 WINWORD.EXE splwow64.exe PID 4508 wrote to memory of 4436 4508 WINWORD.EXE splwow64.exe PID 4508 wrote to memory of 1928 4508 WINWORD.EXE rundll32.exe PID 4508 wrote to memory of 1928 4508 WINWORD.EXE rundll32.exe PID 1928 wrote to memory of 3380 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 3380 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 3380 1928 rundll32.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\877860610fc42b1b257a6190a8c83b11.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4436
-
C:\Windows\SYSTEM32\rundll32.exerundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,DJJEQGVHMRG2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1928
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,DJJEQGVHMRG1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD52d132b8d63a6ada5df4919d1c9630a51
SHA1173e4c5e4b79a252fe729273e45790326f1fae4f
SHA25699eff9f9f8b287ee675cac900b549c7bff212e743cdc9785190d087cda93a0f6
SHA51216ee35a0c741d33a7480f04e616e228413b1933820e96df4e9deca857ade107d5e07c3aae63c6b092d052b9792ea70313801ff0abae24ef806e405b1d9d8492b
-
Filesize
4KB
MD5b5ed963e5b24f2b139b9fc68c72fce85
SHA193d7ddb535070e05af7ead9517efb9fbefd3ce48
SHA256d7922ee96fa7ba7fc7518b4a1c4e19e0460dc39cf6170ae610290d4c29fbde99
SHA512a75ff876c26b897899753153879969f0d34779f94473ac0dd6fa135cdc3f10875a774587c03284f30bed8fcf6a3a6eade8a7ea2a024864ba32556cc886029300
-
Filesize
241B
MD58963cb4123157464aa66928b3a910108
SHA1b9624233909e2bd04742654ba82288ab60528e73
SHA25659b4b5d813cd6d08d5895317ada4f6e5835286d7ecdf324f142474f34a22c565
SHA51287799850de5ae1d4f7aca70c22e68f873e6440565895dd7a029b9bde9af6004d09b9338b398aec43c9cc2eb9e78844edf8fde45c2efe8c7d97e8bbb783763f6c
-
Filesize
130KB
MD578e51f05e6bef6bc17f4b1f6ab1c894d
SHA190e9ecef8f61b7caffc20b7ef05d08629edd1b4c
SHA25696164a842b3ad303058c85ad5976ed37a2dc2fff7e818207cd4070aebdb3a4b6
SHA512701a6982aa42c59caf69c7a78042c0883bfd247f55cb4f17aeeb063e7643b7b43514a884fc67c96345ebad7106f14410a3b5fd91230f3247fecb5290e56a4ec3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
95KB
MD5b2b1ac23adeb8d1a82c7150681aa122d
SHA1d742203f18d0b2dd3aa8d84c4f9e949d3cde84ee
SHA256f39f0b2340322d754362f13907c7d29b4c3e802efc06a6c57659499042ab37be
SHA5124c0bafa74b390598e2c8856280e5b6ff4826769b91abcb736b385c94a1884d12a475eb6980f6cf5bd079933eea69d6a1e82ac101a934a4acff1107d4ffd83902