hancitor | 044805bd45e1bfa0618ad7f0ca651ff691ce7b58e08b1761536aa53d38fc4667

General

Target

044805bd45e1bfa0618ad7f0ca651ff691ce7b58e08b1761536aa53d38fc4667.doc
Size

892KB
MD5

eca53d1189d86e35b7567fa2f7b94352
SHA1

692e2c3d905d545ae6688c8982ff3e5b7176c42f
SHA256

044805bd45e1bfa0618ad7f0ca651ff691ce7b58e08b1761536aa53d38fc4667
SHA512

4df485a9bb729c942d87066783f802427d68d161ae73fa1bace752a82b8d2830be5acff22e61bec1cdafa1ff0608d67ad0288adeb31d0a196564c25fef88d417
SSDEEP

24576:kEIZ4wAK74NAx5KxZTBG75gdKtYkzyHxhL:k+wZ74Nx3c75O3WyHx

Score

10^/10

hancitor discovery downloader

Malware Config

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2972	3096	cmd.exe	83

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	api.ipify.org

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2972	cmd.exe
3912	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{81A7FDC1-6544-432A-B7FA-FA03246CBB8F}\zoro.kl:Zone.Identifier	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3912	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3096	WINWORD.EXE
3096	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3096	WINWORD.EXE
3096	WINWORD.EXE
3096	WINWORD.EXE
3096	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 2440	3096	WINWORD.EXE	88
PID 3096 wrote to memory of 2440	3096	WINWORD.EXE	88

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\044805bd45e1bfa0618ad7f0ca651ff691ce7b58e08b1761536aa53d38fc4667.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ping localhost -n 10 & rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
  2⤵
  - Process spawned unexpected child process
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2972
- - C:\Windows\system32\PING.EXE
    ping localhost -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3912
- - C:\Windows\system32\rundll32.exe
    rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
    3⤵
    PID:3188
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
      4⤵
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\448FEF4F.emf

Filesize
4KB

MD5
ffb63dc6ca8cb27f9d6a0141da1482c8

SHA1
1e5b332cefb686a169e1198cbc3c2a95e6e6692b

SHA256
22cb1cd8c46465ed697881645d7fbad3ad5b4b460b1f89d905f9c128d7f9f5b8

SHA512
740bd4881f54f2e35123984b00397c04712f56b20c21eceed0a5620e34c210a1789ca801592ba442c4e5651dfb00658466e9bb8ae64fbbfe34d576470f920926

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
393B

MD5
5fd2ba896a6fbe3f44cf2a53a817943e

SHA1
868fad2aa59aed2d08d845411a61daad5f9366fc

SHA256
a9b55670d8e00043b79646936af9aff04be740eff870005c08908584d777e562

SHA512
4ce94bffcc7203d312b5e87f1a6bcb9f5696963d3fba3dfdb98bcdfce1966899f5cfc6a1928b919752e17b91d3184126ac2e6ac41b38f6fd34d99a80cae720fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\zoro.doc

Filesize
285KB

MD5
c454093f21d7862bb0d966d74d4a45a3

SHA1
1cb807819ebecd9f136a7aa0dd33de1c19ba664b

SHA256
61e4a618ed522ff01ad8b609d3b0aeca35b11502c440a5f6d56594c942b93e7a

SHA512
fc51d1ec8244cb31ede178da97053d0672b2f8a1378b9f491c2b4a00833a97f3ad6c8bbce130745208858983c6cf575baa2a8adbfd4a3ff1d7fa9d745e032356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
26171bb33fcad5db97d46be804b4f328

SHA1
c6a95c548758fea7b992d208c4d0f4d9f36437e4

SHA256
c0ff84a38bad014462e6be067c78f2028e5a70042f13b715f1424352ad9d1a68

SHA512
622b60e4eb16c69bcb9e438c627c26a1c5c0c6e4535e95f70b0a4fba4272b2c461f3c1adc82cde971082d21f63026b1a4f134df08443cc6ededd57331665b88a

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\iff.bin

Filesize
1.9MB

MD5
a93f9ecb20354d450b0443b63808c5ef

SHA1
95ac8afcf79459b8670dc932b39ac752d0c0ab1d

SHA256
245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe

SHA512
1e2b42b2ca2fda92f5104cce1a7a9a63b20694b999bd4685da44a5178b002a1f0ed47c581006437f48616224f3e03f667fdd674e687e6d56d6818979fcdc5838

Download Submit
memory/2112-187-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/3096-8-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-14-0x00007FFCD78C0000-0x00007FFCD78D0000-memory.dmp

Filesize
64KB

Download
memory/3096-4-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-11-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-10-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-13-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-12-0x00007FFCD78C0000-0x00007FFCD78D0000-memory.dmp

Filesize
64KB

Download
memory/3096-9-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-17-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-18-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-16-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-19-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-15-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-7-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-39-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-48-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-6-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-0-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-5-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-1-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-183-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-182-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-184-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3096-181-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-180-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download
memory/3096-3-0x00007FFD1996D000-0x00007FFD1996E000-memory.dmp

Filesize
4KB

Download
memory/3096-2-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads