hancitor | d387bb7970545808dc199de51b482ccb4faf5e8e1df678bc9116a81d51b0bc32

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

912d4577fff64d062e613da735f17991.doc
Size

451KB
MD5

912d4577fff64d062e613da735f17991
SHA1

1dea29b7e9639ced1f5713b77a53d063c44dffc2
SHA256

d387bb7970545808dc199de51b482ccb4faf5e8e1df678bc9116a81d51b0bc32
SHA512

df116217c51add87a8b861c912ff47f05af35b38740e152796f0435f1ff563cb2b79e39a8c18a830ea35d21a839420443e661df24d1ed499aef4d2cc5ce2cdf6
SSDEEP

6144:WqVCgeFRmJMYjTkRFr8NWJIfXzigjcmPYeKfhi3aS1vJO4OzBtYOlV7J4MtAKY0/:zV9iQsDr8NXrLTQr0aCwSYRY038TW

Score

10^/10

hancitor 2508_bqplf downloader

Malware Config

Extracted

Family

hancitor

Botnet

2508_bqplf

http://intakinger.com/8/forum.php

http://idgentexpliet.ru/8/forum.php

http://declassivan.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2124	5044	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

30 1136 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1136 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.ipify.org

flow	pid	process
30	1136	rundll32.exe

pid	process
1136	rundll32.exe

flow	ioc
29	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{33DD392D-4E58-447A-93C4-1AC2020FEB4A}\glib.bax:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{33DD392D-4E58-447A-93C4-1AC2020FEB4A}\jjy.dll:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5044 WINWORD.EXE
5044 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1136 rundll32.exe
1136 rundll32.exe
1136 rundll32.exe
1136 rundll32.exe

pid	process
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE
5044	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 5044 wrote to memory of 1012	5044	WINWORD.EXE	splwow64.exe
PID 5044 wrote to memory of 1012	5044	WINWORD.EXE	splwow64.exe
PID 5044 wrote to memory of 2124	5044	WINWORD.EXE	rundll32.exe
PID 5044 wrote to memory of 2124	5044	WINWORD.EXE	rundll32.exe
PID 2124 wrote to memory of 1136	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 1136	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 1136	2124	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\912d4577fff64d062e613da735f17991.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1012
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,FCQNEAXPXCR
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,FCQNEAXPXCR
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3F37A27B.emf

Filesize
4KB

MD5
0b4318759025c5a0d2698cc1a450b22a

SHA1
ded53e9e732bcf8909570f4bbe81b89e15053a2e

SHA256
13f5860688219012867aa7d1f39faf80934d8b0fd70de9f571a73e7283c6b0ca

SHA512
563dd71a49e373db960b22d0cd43b1ea75d96d8d52a41dbce8095787e9b2fc5af3a543dfdb540f1261848e8c578094658a5786f2c60d3d3a5713a64f972cbcf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FC69F7E2.emf

Filesize
4KB

MD5
5f467c02bda4d52bfe43fda28f8f946c

SHA1
abeb84e7708fe72d6beddf8d27ff7285a78212df

SHA256
252931f6c100aee4c80322f0a3ac2e426b5247b9f849a4e6277c3da2b90db5a7

SHA512
fe040c0ad086154094adad5d06de686beb5cebcf227bd55eba4bcfe33f78c7fea45da627626c785b098ed75f0ad8aa345ccd9c4a9d3296ac68dcd588d00bf900

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
8963cb4123157464aa66928b3a910108

SHA1
b9624233909e2bd04742654ba82288ab60528e73

SHA256
59b4b5d813cd6d08d5895317ada4f6e5835286d7ecdf324f142474f34a22c565

SHA512
87799850de5ae1d4f7aca70c22e68f873e6440565895dd7a029b9bde9af6004d09b9338b398aec43c9cc2eb9e78844edf8fde45c2efe8c7d97e8bbb783763f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\glib.doc

Filesize
269KB

MD5
b171b5b149f0ccf55fc95221c7b94831

SHA1
960391fee8e99179d9b62e237763b54ad34d991e

SHA256
7d449914b605c5d48ee6a62e2a3989aebef808dc6fe5c5901a204e595a0558eb

SHA512
2dfd2f81a567da8e0a8299ae5247d5edbadaf60793a1074495b45517ededcb2fb3d702c58dd305ab4294bada274b488349876e5b3f9384bc8e1a300be807f375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\yefff.dll

Filesize
374KB

MD5
9c0269a9f8f567bf48a872b87d031d3f

SHA1
5bfd8046655a5fa62e57f206268705771fc0386f

SHA256
cc0e982a648ee64e13a04ca9bd34912cdd80a403873180ea5130c2efb6121321

SHA512
cc99c2c860907174446426d5dbb8a3cc6aa41e4268ce9a945fd119b2ad838b11d1f8be424b57f3bfd91d3aa9f7b7b7fcdfb3a3cca87d07d9c5aea31c7d9a6b70

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll

Filesize
8KB

MD5
8f6c2e012f24645ee0578d3e2c5b8667

SHA1
00936369bc60b3927ab7314c00f9347edbe37440

SHA256
4d8e8c591c7c30fc3899971544a1bdfdaf50e6f602ed33915947344ea5fb7110

SHA512
b6b0842ea00c0834e51a9ff487670a805bdc4244bcc2ad057d862f4f380c3a5ab3a244a5f6c7e8ce6a76f5e218e8ef0c61ffa5b6cb9457f4aa15f3d4f84ff733

Download Submit
memory/1136-170-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1136-167-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/1136-152-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/1136-149-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/1136-150-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1136-148-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/5044-70-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-11-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-16-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-18-0x00007FFDEE410000-0x00007FFDEE420000-memory.dmp

Filesize
64KB

Download
memory/5044-17-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-19-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-1-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-20-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-21-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-23-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-22-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-0-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-32-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-41-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-12-0x00007FFDEE410000-0x00007FFDEE420000-memory.dmp

Filesize
64KB

Download
memory/5044-63-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-3-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-71-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-72-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-14-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-13-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-9-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-10-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-15-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-7-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-8-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-6-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-154-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-155-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-156-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-2-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-164-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-165-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-166-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-5-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-168-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-4-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-171-0x000001E975070000-0x000001E976040000-memory.dmp

Filesize
15.8MB

Download
memory/5044-205-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-206-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-207-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-208-0x00007FFDF0470000-0x00007FFDF0480000-memory.dmp

Filesize
64KB

Download
memory/5044-209-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-210-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-212-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download
memory/5044-211-0x00007FFE303F0000-0x00007FFE305E5000-memory.dmp

Filesize
2.0MB

Download