Malware Analysis Report

2024-10-19 02:46

Sample ID 240203-jf54ksefaj
Target 8bc41922aa2635dbce28dbedf8c7c332
SHA256 98a4c62581108b0c40bb18ff399c661a4f3e9678b680b03e36bc42afd40281e8
Tags
hancitor 3008_hsdj8 downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98a4c62581108b0c40bb18ff399c661a4f3e9678b680b03e36bc42afd40281e8

Threat Level: Known bad

The file 8bc41922aa2635dbce28dbedf8c7c332 was found to be: Known bad.

Malicious Activity Summary

hancitor 3008_hsdj8 downloader

Hancitor

Blocklisted process makes network request

Looks up external IP address via web service

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 07:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 07:37

Reported

2024-02-03 07:40

Platform

win7-20231215-en

Max time kernel

141s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bc41922aa2635dbce28dbedf8c7c332.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 1028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 1028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bc41922aa2635dbce28dbedf8c7c332.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bc41922aa2635dbce28dbedf8c7c332.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp
US 8.8.8.8:53 buichely.com udp
US 8.8.8.8:53 gratimen.ru udp
US 8.8.8.8:53 waliteriter.ru udp

Files

memory/1028-0-0x0000000075160000-0x00000000751CC000-memory.dmp

memory/1028-1-0x0000000075160000-0x00000000751CC000-memory.dmp

memory/1028-2-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/1028-4-0x0000000075160000-0x00000000751CC000-memory.dmp

memory/1028-5-0x0000000075160000-0x00000000751CC000-memory.dmp

memory/1028-6-0x00000000000B0000-0x00000000000B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 07:37

Reported

2024-02-03 07:40

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bc41922aa2635dbce28dbedf8c7c332.dll,#1

Signatures

Hancitor

downloader hancitor

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bc41922aa2635dbce28dbedf8c7c332.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bc41922aa2635dbce28dbedf8c7c332.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:80 api.ipify.org tcp
US 8.8.8.8:53 buichely.com udp
US 8.8.8.8:53 gratimen.ru udp
US 8.8.8.8:53 waliteriter.ru udp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/764-0-0x0000000075690000-0x00000000756FC000-memory.dmp

memory/764-1-0x0000000075690000-0x00000000756FC000-memory.dmp

memory/764-2-0x0000000000730000-0x0000000000731000-memory.dmp

memory/764-3-0x0000000075690000-0x00000000756FC000-memory.dmp

memory/764-4-0x0000000075690000-0x00000000756FC000-memory.dmp

memory/764-6-0x0000000000730000-0x0000000000731000-memory.dmp