hancitor | 35dd54998c21502765a5807c3d0da5f67f09e93d90be66881cbe5d5360ae17b0

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c47745c73485b8492a301c2754ff895b_JaffaCakes118.doc
Size

534KB
MD5

c47745c73485b8492a301c2754ff895b
SHA1

9a90d06c544c9848d7f384921812877a4fdad5f3
SHA256

35dd54998c21502765a5807c3d0da5f67f09e93d90be66881cbe5d5360ae17b0
SHA512

11067e4b5ce4d4e5d926958fc57df99cdb278313891b0270b74d14a5a4c8a43c44197dd15ff9ba72cb8e743feaee61d70ee9e5de952c5945cdc9ed1b2d0f2425
SSDEEP

12288:k8CmEKY7gpWMBYKoM6scG2u302l0HwbsG7kWunEDXm/zjH0Bq:k8CmEj6BYHMDn2u3049HSn+Xm/9

Score

10^/10

hancitor 1910_nsw downloader

Malware Config

Extracted

Family

hancitor

Botnet

1910_nsw

http://newnucapi.com/8/forum.php

http://gintlyba.ru/8/forum.php

http://stralonz.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	812	1564	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

35 4368 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4368 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.ipify.org

flow	pid	process
35	4368	rundll32.exe

pid	process
4368	rundll32.exe

flow	ioc
34	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{21932439-A969-43A5-B852-C9B035D291B2}\zoro.kl:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{21932439-A969-43A5-B852-C9B035D291B2}\gelfor.dap:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1564 WINWORD.EXE
1564 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4368 rundll32.exe
4368 rundll32.exe
4368 rundll32.exe
4368 rundll32.exe

pid	process
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 1564 wrote to memory of 3516	1564	WINWORD.EXE	splwow64.exe
PID 1564 wrote to memory of 3516	1564	WINWORD.EXE	splwow64.exe
PID 1564 wrote to memory of 812	1564	WINWORD.EXE	rundll32.exe
PID 1564 wrote to memory of 812	1564	WINWORD.EXE	rundll32.exe
PID 812 wrote to memory of 4368	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 4368	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 4368	812	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c47745c73485b8492a301c2754ff895b_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3516
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1AD894A5.emf

Filesize
4KB

MD5
c024f2d9118240e0bfc483b9299dd6cf

SHA1
372f04b3efb4cb0a8fc3f82c7918d7478a230f80

SHA256
a23c652c83e35c3059746bbdbd71c80e2ac08535d420359cffb6e41df713dc85

SHA512
632b48760ca476cd6f01eefa2e6c516f34c822867590419351eefb8c78f6dab6eaf231feff6764d903e09c40eaca14a0b222a961d2ddec951fc8be3cabd3bf04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E342C234.emf

Filesize
4KB

MD5
bf2393dfe4576945d1f26d3595c5ef9f

SHA1
f9abbbcf4bad106e4f5c039082257357f4c28aef

SHA256
a1fa622b47a529e1064458aa0decd0c1ebc16efb621511c8cba545036ffeb00e

SHA512
bd9972b8310d1357529f62375b883ce3af01c01a56107a0cff93b8cdce43fe7931947ce10790ad5c596392ba8bab842d89e708d4999d87c9c4b858140688fdbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
f5310e4d57eb4bfd0514b4070f46def9

SHA1
69392ae127b33f86e844982957a6d761d5368603

SHA256
2c8c3924add47db70a6449b6b493f71f6d045b7cb156bd2112a67724e5fad50c

SHA512
489cc600baa5d96584c1f40cc9eac34138543ed1325c7b109523cbd1028a880cddbc6c49ce089c961d157890a50c1761436facf83c46d87cbf21ca1ebbb54726

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\zoro.doc

Filesize
341KB

MD5
b6487ba7cff8bd5748c8dfa1f7db100c

SHA1
a49729ba20a4ad819e890682a88c470b0056a218

SHA256
dd891db0c9eed71e1f6e2f659a9b7dc18806626480f36b1e84ef18f41cd6a57d

SHA512
8b58aa8b20035b2b4aeeee1ae909bc5245ec0a615990b1f4b9938b8507726931a142e3dde111dc0ca70b3102683305b4e63df91b197136586404e66fcec81f83

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap

Filesize
525KB

MD5
4198ac1dc34de77ab8ceac3c9a25480e

SHA1
f8fb1264a292aecb6c2bf5c5d4f3e199e3a822ad

SHA256
8ff43b6ddf6243bd5ee073f9987920fa223809f589d151d7e438fd8cc08ce292

SHA512
37dd3c50283daa7be1fb831820d273b7663dddce4d98c87c8d08864fac2dc00daf243ca6e50e028d4f04262160f5dea9a98000cffb67d70c07875d3fc2e4c47c

Download Submit
memory/1564-10-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-3-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-7-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-8-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-9-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-0-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-11-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-12-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-14-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-13-0x00007FF825250000-0x00007FF825260000-memory.dmp

Filesize
64KB

Download
memory/1564-15-0x00007FF825250000-0x00007FF825260000-memory.dmp

Filesize
64KB

Download
memory/1564-35-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-58-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-62-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-63-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-5-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-87-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-4-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-2-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-6-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-164-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-165-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-1-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-174-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-222-0x00007FF8679F0000-0x00007FF867BE5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-177-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-178-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-221-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-220-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-181-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-219-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/1564-183-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-184-0x00000267C4160000-0x00000267C5130000-memory.dmp

Filesize
15.8MB

Download
memory/1564-218-0x00007FF827A70000-0x00007FF827A80000-memory.dmp

Filesize
64KB

Download
memory/4368-182-0x0000000075790000-0x000000007582A000-memory.dmp

Filesize
616KB

Download
memory/4368-180-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4368-179-0x0000000075790000-0x000000007582A000-memory.dmp

Filesize
616KB

Download
memory/4368-176-0x0000000075790000-0x000000007582A000-memory.dmp

Filesize
616KB

Download