hancitor | 2ae278b49a16340323666bc486a2686491391374365393142e44a25c16b29465

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d225efab3cf8f751c299accb3f114e9b.doc
Size

612KB
MD5

d225efab3cf8f751c299accb3f114e9b
SHA1

fdabc9901ed3b774b106859f4c5c0c3c1dcf1aef
SHA256

2ae278b49a16340323666bc486a2686491391374365393142e44a25c16b29465
SHA512

c0656fa0af6391c2568efe70b1b9ee0120eace96575f0c04ceea9d77aa94b6941b682257585097cef8fb661bf5944f9ab69792aa413173cb6300d361828bc672
SSDEEP

12288:EV9iQsDr8N5eCz3DFw7m/kdxoF3aHUp6BvNoywaMFsZjjotAd5Rs+:EVXkr8N8Cz6voFqDisSIj

Score

10^/10

hancitor 1808_plfr downloader

Malware Config

Extracted

Family

hancitor

Botnet

1808_plfr

http://madmilons.com/8/forum.php

http://counteent.ru/8/forum.php

http://simatereare.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4632	2068	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

54 1480 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1480 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

53 api.ipify.org

flow	pid	process
54	1480	rundll32.exe

pid	process
1480	rundll32.exe

flow	ioc
53	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{41D4FC24-78D1-487B-9D9E-150425E2D122}\glib.bax:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{41D4FC24-78D1-487B-9D9E-150425E2D122}\jjy.dll:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2068 WINWORD.EXE
2068 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1480 rundll32.exe
1480 rundll32.exe
1480 rundll32.exe
1480 rundll32.exe

pid	process
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 2068 wrote to memory of 2296	2068	WINWORD.EXE	splwow64.exe
PID 2068 wrote to memory of 2296	2068	WINWORD.EXE	splwow64.exe
PID 2068 wrote to memory of 4632	2068	WINWORD.EXE	rundll32.exe
PID 2068 wrote to memory of 4632	2068	WINWORD.EXE	rundll32.exe
PID 4632 wrote to memory of 1480	4632	rundll32.exe	rundll32.exe
PID 4632 wrote to memory of 1480	4632	rundll32.exe	rundll32.exe
PID 4632 wrote to memory of 1480	4632	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d225efab3cf8f751c299accb3f114e9b.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2296
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,DJJEQGVHMRG
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll,DJJEQGVHMRG
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\331D38F7.emf

Filesize
4KB

MD5
b5ed963e5b24f2b139b9fc68c72fce85

SHA1
93d7ddb535070e05af7ead9517efb9fbefd3ce48

SHA256
d7922ee96fa7ba7fc7518b4a1c4e19e0460dc39cf6170ae610290d4c29fbde99

SHA512
a75ff876c26b897899753153879969f0d34779f94473ac0dd6fa135cdc3f10875a774587c03284f30bed8fcf6a3a6eade8a7ea2a024864ba32556cc886029300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C51654E.emf

Filesize
4KB

MD5
2d132b8d63a6ada5df4919d1c9630a51

SHA1
173e4c5e4b79a252fe729273e45790326f1fae4f

SHA256
99eff9f9f8b287ee675cac900b549c7bff212e743cdc9785190d087cda93a0f6

SHA512
16ee35a0c741d33a7480f04e616e228413b1933820e96df4e9deca857ade107d5e07c3aae63c6b092d052b9792ea70313801ff0abae24ef806e405b1d9d8492b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
8963cb4123157464aa66928b3a910108

SHA1
b9624233909e2bd04742654ba82288ab60528e73

SHA256
59b4b5d813cd6d08d5895317ada4f6e5835286d7ecdf324f142474f34a22c565

SHA512
87799850de5ae1d4f7aca70c22e68f873e6440565895dd7a029b9bde9af6004d09b9338b398aec43c9cc2eb9e78844edf8fde45c2efe8c7d97e8bbb783763f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\glib.doc

Filesize
434KB

MD5
ac6aa3d48029b449e6c4d333dcceec74

SHA1
5bb8371e151b9ee5915eba6f46e16ba46110e00c

SHA256
1997cb09289d65e2e9be0cb30a5a78af7c5a86237fa36e97d0505e05d8b321cf

SHA512
2c99673d4685c85e9a886cbae064d290e57a284f5415f5ce34d7fc9c8387f48c435be2476f83b6e5f5f5f8071aa2c29d8a7ac6b3d84c17dc53abfaaefe107e8b

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\yefff.dll

Filesize
800KB

MD5
7d947a3d37f370b12fec5f1df82dfd1e

SHA1
e5999fccef4769c0c7ae66b9ec6eaaf7c3326c46

SHA256
bb3cfed0b433c158af3238573507836cd6c42a40240852a0ae22bcfd48038b8c

SHA512
9bf47cbfa989cbd55e48675b83799559cc7ffa40023520dfe072d4889872abe341d099e9915d96b7c5ef0aea05e554ec58dd0f91e3b0324f53d922dbd09b675f

Download Submit
memory/1480-141-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/1480-127-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1480-123-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/1480-121-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2068-43-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-8-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-12-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-11-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-13-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-14-0x00007FFB2BB90000-0x00007FFB2BBA0000-memory.dmp

Filesize
64KB

Download
memory/2068-15-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-16-0x00007FFB2BB90000-0x00007FFB2BBA0000-memory.dmp

Filesize
64KB

Download
memory/2068-17-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-18-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-19-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-20-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-21-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-31-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-40-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-0-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-55-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-10-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-69-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-70-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-9-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-5-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-7-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-119-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-120-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-6-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-122-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-4-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-124-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-3-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-128-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-2-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-136-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-137-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-139-0x000001903A160000-0x000001903B130000-memory.dmp

Filesize
15.8MB

Download
memory/2068-1-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download
memory/2068-174-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-175-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-176-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-177-0x00007FFB2DBF0000-0x00007FFB2DC00000-memory.dmp

Filesize
64KB

Download
memory/2068-178-0x00007FFB6DB70000-0x00007FFB6DD65000-memory.dmp

Filesize
2.0MB

Download