hancitor | af2da35bd05abcc73ce04f9ee775209e6831a4a3df72c9e8531d35e36d84f84f

General

Target

af2da35bd05abcc73ce04f9ee775209e6831a4a3df72c9e8531d35e36d84f84f.doc
Size

892KB
MD5

fc0ac133bbf94c2080a6ed2f06f32d31
SHA1

403cf365bf5672e1df7d0ced3a2603ce87a54e17
SHA256

af2da35bd05abcc73ce04f9ee775209e6831a4a3df72c9e8531d35e36d84f84f
SHA512

94f7cbaf996f332265315b78f8d68210b530917883936041eff1b07c24dee3ca656c1ece4036554642c13a6f42e1976ebda10a620e5815ce15ac12c56f1b2e53
SSDEEP

24576:cEIZ4wAK74NAx5KxZTBG75gdYtYkzyHl4:c+wZ74Nx3c75OpWyHl

Score

10^/10

hancitor discovery downloader

Malware Config

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3516	3540	cmd.exe	83

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	api.ipify.org

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3516	cmd.exe
2088	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{21DC9F61-0F44-42B5-9DF3-5DA5FA59053C}\zoro.kl:Zone.Identifier	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2088	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3540	WINWORD.EXE
3540	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4516	3540	WINWORD.EXE	89
PID 3540 wrote to memory of 4516	3540	WINWORD.EXE	89

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\af2da35bd05abcc73ce04f9ee775209e6831a4a3df72c9e8531d35e36d84f84f.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ping localhost -n 10 & rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
  2⤵
  - Process spawned unexpected child process
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3516
- - C:\Windows\system32\PING.EXE
    ping localhost -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2088
- - C:\Windows\system32\rundll32.exe
    rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\users\admin\appdata\roaming\microsoft\templates\iff.bin,GWCRALYCYIAUAFG
      4⤵
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\56EEA7C1.emf

Filesize
4KB

MD5
ffb63dc6ca8cb27f9d6a0141da1482c8

SHA1
1e5b332cefb686a169e1198cbc3c2a95e6e6692b

SHA256
22cb1cd8c46465ed697881645d7fbad3ad5b4b460b1f89d905f9c128d7f9f5b8

SHA512
740bd4881f54f2e35123984b00397c04712f56b20c21eceed0a5620e34c210a1789ca801592ba442c4e5651dfb00658466e9bb8ae64fbbfe34d576470f920926

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
303B

MD5
a48d727d470fdea0413eadfd938a23a0

SHA1
a0ab613674b6889a10cf23310b63e2acd7d5c70e

SHA256
6c54126e1c3a6f252d2b56dbaaf2c4b2a855908512f5ed9a5870d102194d8641

SHA512
ed636618e2b0780efde5c63b81f64a31cb3c9a546b653f6a39fe617a94228af11633377f8eab1be3a4aadc73e618127b35c059143c7acf046ce30f3b85a73a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\zoro.doc

Filesize
285KB

MD5
c454093f21d7862bb0d966d74d4a45a3

SHA1
1cb807819ebecd9f136a7aa0dd33de1c19ba664b

SHA256
61e4a618ed522ff01ad8b609d3b0aeca35b11502c440a5f6d56594c942b93e7a

SHA512
fc51d1ec8244cb31ede178da97053d0672b2f8a1378b9f491c2b4a00833a97f3ad6c8bbce130745208858983c6cf575baa2a8adbfd4a3ff1d7fa9d745e032356

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\iff.bin

Filesize
1.9MB

MD5
a93f9ecb20354d450b0443b63808c5ef

SHA1
95ac8afcf79459b8670dc932b39ac752d0c0ab1d

SHA256
245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe

SHA512
1e2b42b2ca2fda92f5104cce1a7a9a63b20694b999bd4685da44a5178b002a1f0ed47c581006437f48616224f3e03f667fdd674e687e6d56d6818979fcdc5838

Download Submit
memory/1704-157-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/3540-9-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-40-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-7-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-1-0x00007FFA0A58D000-0x00007FFA0A58E000-memory.dmp

Filesize
4KB

Download
memory/3540-10-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-11-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-8-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-12-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-14-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-15-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-16-0x00007FF9C8090000-0x00007FF9C80A0000-memory.dmp

Filesize
64KB

Download
memory/3540-13-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-17-0x00007FF9C8090000-0x00007FF9C80A0000-memory.dmp

Filesize
64KB

Download
memory/3540-6-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-46-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-47-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-48-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-2-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-4-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-5-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-152-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-153-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-151-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-150-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-154-0x00007FFA0A4F0000-0x00007FFA0A6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-3-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download
memory/3540-0-0x00007FF9CA570000-0x00007FF9CA580000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads