hancitor | e88b8049397c21d470396692ef208d696364e36e556690297779cf68e311a9e6

General

Target

e88b8049397c21d470396692ef208d696364e36e556690297779cf68e311a9e6.doc
Size

893KB
MD5

32248c17f968e76bbe8b90ea3be8f6f9
SHA1

0d5318656d07f6a071b2ca3db6a96da387873941
SHA256

e88b8049397c21d470396692ef208d696364e36e556690297779cf68e311a9e6
SHA512

92213947b957c90aecf00df21b795018a174aa1aab38d42c4e8b93124429adc7ce1d599698834805103fd7c6f2a6bae0700305c3a692a43e1a9c74950137947b
SSDEEP

24576:jEIZ4wAK74NAx5KxZTBG75gdLtYkzyHtSD:j+wZ74Nx3c75OyWyHt

Score

10^/10

hancitor discovery downloader

Malware Config

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1280	4968	cmd.exe	83

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4424	PING.EXE
1280	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{DEAF4CBB-7A2B-46EC-8908-0E412F1A6565}\zoro.kl:Zone.Identifier	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4424	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4968	WINWORD.EXE
4968	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4328	4968	WINWORD.EXE	87
PID 4968 wrote to memory of 4328	4968	WINWORD.EXE	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e88b8049397c21d470396692ef208d696364e36e556690297779cf68e311a9e6.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4328
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ping localhost -n 10 & rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
  2⤵
  - Process spawned unexpected child process
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1280
- - C:\Windows\system32\PING.EXE
    ping localhost -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4424
- - C:\Windows\system32\rundll32.exe
    rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
    3⤵
    PID:3496
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
      4⤵
      PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\96D9B3C8.emf

Filesize
4KB

MD5
ffb63dc6ca8cb27f9d6a0141da1482c8

SHA1
1e5b332cefb686a169e1198cbc3c2a95e6e6692b

SHA256
22cb1cd8c46465ed697881645d7fbad3ad5b4b460b1f89d905f9c128d7f9f5b8

SHA512
740bd4881f54f2e35123984b00397c04712f56b20c21eceed0a5620e34c210a1789ca801592ba442c4e5651dfb00658466e9bb8ae64fbbfe34d576470f920926

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
312B

MD5
d1cf01b6e11801f536a5de93c1ec8490

SHA1
158b76b6bed66e02cbed5e0e6149aa3f84b8cff8

SHA256
d8293f31dbfed6ba5654d83b811847c5acde6c7b7c337aef41ab52b3fbbc125e

SHA512
d073e6a8013f5c9b004e2c0527f0def1a103c311431a64b2f8c65409c877c74ce33867fba175ecab03e11ea53054b48ccda8ec01e1a7f7fc8fdaa651ecc0432e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\zoro.doc

Filesize
285KB

MD5
c454093f21d7862bb0d966d74d4a45a3

SHA1
1cb807819ebecd9f136a7aa0dd33de1c19ba664b

SHA256
61e4a618ed522ff01ad8b609d3b0aeca35b11502c440a5f6d56594c942b93e7a

SHA512
fc51d1ec8244cb31ede178da97053d0672b2f8a1378b9f491c2b4a00833a97f3ad6c8bbce130745208858983c6cf575baa2a8adbfd4a3ff1d7fa9d745e032356

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\iff.bin

Filesize
1.9MB

MD5
a93f9ecb20354d450b0443b63808c5ef

SHA1
95ac8afcf79459b8670dc932b39ac752d0c0ab1d

SHA256
245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe

SHA512
1e2b42b2ca2fda92f5104cce1a7a9a63b20694b999bd4685da44a5178b002a1f0ed47c581006437f48616224f3e03f667fdd674e687e6d56d6818979fcdc5838

Download Submit
memory/4256-187-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/4968-9-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-20-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-7-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-8-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-3-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-10-0x00007FFEDE5B0000-0x00007FFEDE5C0000-memory.dmp

Filesize
64KB

Download
memory/4968-11-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-14-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-15-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-16-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-17-0x00007FFEDE5B0000-0x00007FFEDE5C0000-memory.dmp

Filesize
64KB

Download
memory/4968-18-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-23-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-22-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-21-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-6-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-19-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-13-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-12-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-45-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-47-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-48-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-1-0x00007FFF20B4D000-0x00007FFF20B4E000-memory.dmp

Filesize
4KB

Download
memory/4968-2-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-4-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-181-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-183-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-182-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-180-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-184-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-0-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download
memory/4968-5-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads