hancitor | 3af1f23c945a8790a256c5cd13bd6f1d29ab5cfa6d40ce88e44aebba33696922

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef8cf02b28315daff8ea591bc351976b_JaffaCakes118.doc
Size

534KB
MD5

ef8cf02b28315daff8ea591bc351976b
SHA1

0bc5d06813f9c5aba1369e705dafbc1546c54e4f
SHA256

3af1f23c945a8790a256c5cd13bd6f1d29ab5cfa6d40ce88e44aebba33696922
SHA512

d62d6671a04ad41b38fece9b86d1517cb876be54ffd367f535ee29d0c2d8bc1c91d8abe3d3af05c01be46bfb73b8f53eadf19f7c4354704a574542649618fe2d
SSDEEP

12288:s8CmEKY7gpWMBgroM6scG2u302l0HwbsG7kWunEDXm/zjHwB7:s8CmEj6Bg0MDn2u3049HSn+Xm/s

Score

10^/10

hancitor 1910_nsw downloader

Malware Config

Extracted

Family

hancitor

Botnet

1910_nsw

http://newnucapi.com/8/forum.php

http://gintlyba.ru/8/forum.php

http://stralonz.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3756	2364	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

42 4256 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4256 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 api.ipify.org

flow	pid	process
42	4256	rundll32.exe

pid	process
4256	rundll32.exe

flow	ioc
41	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

NTFS ADS 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{DBDA89C6-C384-4FC9-B592-7F44313FE77F}\gelfor.dap:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{DBDA89C6-C384-4FC9-B592-7F44313FE77F}\zoro.kl:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2364 WINWORD.EXE
2364 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4256 rundll32.exe
4256 rundll32.exe
4256 rundll32.exe
4256 rundll32.exe

pid	process
4256	rundll32.exe
4256	rundll32.exe
4256	rundll32.exe
4256	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE
2364	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 2364 wrote to memory of 700	2364	WINWORD.EXE	splwow64.exe
PID 2364 wrote to memory of 700	2364	WINWORD.EXE	splwow64.exe
PID 2364 wrote to memory of 3756	2364	WINWORD.EXE	rundll32.exe
PID 2364 wrote to memory of 3756	2364	WINWORD.EXE	rundll32.exe
PID 3756 wrote to memory of 4256	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 4256	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 4256	3756	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ef8cf02b28315daff8ea591bc351976b_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:700
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap,MVELLJHNDSVBJLD
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16D6DBA0.emf

Filesize
4KB

MD5
bf2393dfe4576945d1f26d3595c5ef9f

SHA1
f9abbbcf4bad106e4f5c039082257357f4c28aef

SHA256
a1fa622b47a529e1064458aa0decd0c1ebc16efb621511c8cba545036ffeb00e

SHA512
bd9972b8310d1357529f62375b883ce3af01c01a56107a0cff93b8cdce43fe7931947ce10790ad5c596392ba8bab842d89e708d4999d87c9c4b858140688fdbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\370AE721.emf

Filesize
4KB

MD5
c024f2d9118240e0bfc483b9299dd6cf

SHA1
372f04b3efb4cb0a8fc3f82c7918d7478a230f80

SHA256
a23c652c83e35c3059746bbdbd71c80e2ac08535d420359cffb6e41df713dc85

SHA512
632b48760ca476cd6f01eefa2e6c516f34c822867590419351eefb8c78f6dab6eaf231feff6764d903e09c40eaca14a0b222a961d2ddec951fc8be3cabd3bf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE167.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
f5310e4d57eb4bfd0514b4070f46def9

SHA1
69392ae127b33f86e844982957a6d761d5368603

SHA256
2c8c3924add47db70a6449b6b493f71f6d045b7cb156bd2112a67724e5fad50c

SHA512
489cc600baa5d96584c1f40cc9eac34138543ed1325c7b109523cbd1028a880cddbc6c49ce089c961d157890a50c1761436facf83c46d87cbf21ca1ebbb54726

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\zoro.doc

Filesize
341KB

MD5
b6487ba7cff8bd5748c8dfa1f7db100c

SHA1
a49729ba20a4ad819e890682a88c470b0056a218

SHA256
dd891db0c9eed71e1f6e2f659a9b7dc18806626480f36b1e84ef18f41cd6a57d

SHA512
8b58aa8b20035b2b4aeeee1ae909bc5245ec0a615990b1f4b9938b8507726931a142e3dde111dc0ca70b3102683305b4e63df91b197136586404e66fcec81f83

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\gelforr.dap

Filesize
525KB

MD5
4198ac1dc34de77ab8ceac3c9a25480e

SHA1
f8fb1264a292aecb6c2bf5c5d4f3e199e3a822ad

SHA256
8ff43b6ddf6243bd5ee073f9987920fa223809f589d151d7e438fd8cc08ce292

SHA512
37dd3c50283daa7be1fb831820d273b7663dddce4d98c87c8d08864fac2dc00daf243ca6e50e028d4f04262160f5dea9a98000cffb67d70c07875d3fc2e4c47c

Download Submit
memory/2364-41-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-6-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-68-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-5-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-70-0x0000016F13DB0000-0x0000016F145B0000-memory.dmp

Filesize
8.0MB

Download
memory/2364-7-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-8-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-9-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-10-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-11-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-12-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-13-0x00007FFE13C60000-0x00007FFE13C70000-memory.dmp

Filesize
64KB

Download
memory/2364-14-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-15-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-16-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-72-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-18-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-19-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-20-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-21-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-22-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-23-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-2-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-65-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-4-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-3-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-17-0x00007FFE13C60000-0x00007FFE13C70000-memory.dmp

Filesize
64KB

Download
memory/2364-73-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-97-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-174-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-707-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-706-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-705-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-704-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-178-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-1-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-185-0x00007FFE56430000-0x00007FFE56625000-memory.dmp

Filesize
2.0MB

Download
memory/2364-186-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-187-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-188-0x0000016F13DB0000-0x0000016F145B0000-memory.dmp

Filesize
8.0MB

Download
memory/2364-190-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-191-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-192-0x0000016F17FC0000-0x0000016F18F90000-memory.dmp

Filesize
15.8MB

Download
memory/2364-0-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/2364-703-0x00007FFE164B0000-0x00007FFE164C0000-memory.dmp

Filesize
64KB

Download
memory/4256-671-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4256-177-0x0000000074E40000-0x0000000074EDA000-memory.dmp

Filesize
616KB

Download
memory/4256-173-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4256-172-0x0000000074E40000-0x0000000074EDA000-memory.dmp

Filesize
616KB

Download
memory/4256-171-0x0000000074E40000-0x0000000074EDA000-memory.dmp

Filesize
616KB

Download