Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 19:14
Behavioral task
behavioral1
Sample
c6a955feba1b9e85859176043a1a274c.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c6a955feba1b9e85859176043a1a274c.doc
Resource
win10v2004-20240226-en
General
-
Target
c6a955feba1b9e85859176043a1a274c.doc
-
Size
539KB
-
MD5
c6a955feba1b9e85859176043a1a274c
-
SHA1
31e397116cb4a2ec8188f9b51c0b980389031689
-
SHA256
25b1a6b2d713499b4d483d782626ff8f8622bfa1b078a6641d2efbe615db1ffd
-
SHA512
8c06e70f6b85011f82ef45fc9f605722b4a6037aea8340482dbafd68bbd647a69fbd028fbb9cbf69f7b4250de65013cb76a8c082af746b67f7d68d47a56451bf
-
SSDEEP
12288:hV9iQsDr8NQhqNrdjqLCV8L/EnqO1BKI9vIOaCuQByhC1A5/U:hVXkr8NpNrAmqL/EnJ1BsrPzhN5M
Malware Config
Extracted
hancitor
0308_spnv5
http://priekornat.com/8/forum.php
http://stionsomi.ru/8/forum.php
http://arviskeist.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3764 2192 rundll32.exe 86 -
Blocklisted process makes network request 1 IoCs
flow pid Process 40 3692 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 3692 rundll32.exe 3692 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{12582210-5055-4036-8B10-BFC642D3E417}\qq.fax:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{12582210-5055-4036-8B10-BFC642D3E417}\ter.dll:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2192 WINWORD.EXE 2192 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3692 rundll32.exe 3692 rundll32.exe 3692 rundll32.exe 3692 rundll32.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE 2192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2192 wrote to memory of 5252 2192 WINWORD.EXE 91 PID 2192 wrote to memory of 5252 2192 WINWORD.EXE 91 PID 2192 wrote to memory of 3764 2192 WINWORD.EXE 97 PID 2192 wrote to memory of 3764 2192 WINWORD.EXE 97 PID 3764 wrote to memory of 3692 3764 rundll32.exe 98 PID 3764 wrote to memory of 3692 3764 rundll32.exe 98 PID 3764 wrote to memory of 3692 3764 rundll32.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c6a955feba1b9e85859176043a1a274c.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5252
-
-
C:\Windows\SYSTEM32\rundll32.exerundll32 c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,NXYSYMIUJMD2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\rundll32.exerundll32 c:\users\admin\appdata\roaming\microsoft\templates\ier.dll,NXYSYMIUJMD3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ff6a77c6072d38dad1ded7fe7b1cdfa1
SHA15c3457475f3584d18ba5a5d765fce16ce16f69c5
SHA256dafca1618afa2cd4e9f89e97bfd0e7aea61453ddca26ba7de4e2045a2e85bc84
SHA512d7e30e96bd765349648c63e093d64899355b769bd4a2878bd0006fc97f350fc1f1a479f7b7552ecdba907822297bdd0f2366f7bbd1fc53f7e6360e4890c7e46f
-
Filesize
4KB
MD58054abe59b2badee71e12edb5e1db182
SHA1150f33966a99e449b498eb8f2552b56db0cd09a9
SHA256ea0cebe8874b6b4977a59759638015bc125f5e768f74056b74fe9bf55df0115d
SHA5120673867f1466ddd63f222e316e8484604dc1cfd4ab4e76ec04713a951e8ce9fd4ecf4222be8b9dc0d95f70772843b83f600de12e78072daba7bd144791eb261b
-
Filesize
237B
MD5f97ce128e09ed76f8d746e835ad41de3
SHA1801c10655753020a0fd41ed43ac8095d622904e1
SHA25605c26bcb60ae5c262da5040e9382b0b1915aa59904926ac107f25617b624172f
SHA51245c0e5eb7693617ab03a1c1e40eb25b1f3ee00069a4bfbbfe59ad4fd208f4d8eb34c58b5af7d7643a997292ac667eff4b8eacd32fd8e7660ab6b2deda3838d0c
-
Filesize
360KB
MD53aae62f48791f830ed66e46a725c7186
SHA152bf6707f417eec0290b871283d9937c4f570c28
SHA25651843894f91faada6a71a0dc972a883a4e19da2f9416735dc9149de9e4b67a19
SHA5124d5e8cea4c736a5bcbab717389701959f2623bff0c1306f792ffbf84199a370e73868e1a8c0db2b37d5e3cfda6c5653fa14ff54902d1f74722325f4dfaf4941a
-
Filesize
654KB
MD5d7c87a735968d424d5c0aa2794d23657
SHA1957a6ef9961e71d0207c5ab2ccc153b41f73e110
SHA256306d564fba556c9db12269b01bdadb3eba19e43c60f180c6f41a72a1fc9840d3
SHA5125ef0e40f059cb752421af3123deef73df4544fe1653efdfdfa277ed879d06f6eb6d6ff5234ae159746f2dc9bbc167273851c1a14ace3f38bcd1661828b0e35d5