hancitor | 42eae0d7813c39340ec3eac60f578d04aa9c4f351d8552e1cb850382ca2746ac

General

Target

WIS_868087283709651.vbs
Size

726KB
MD5

a21cda7e8d89d17b1bbc3c27035b132c
SHA1

357ab07a728aa6e1cadae86f47ac0ebefda296bf
SHA256

ec12eb1046c20c246ac6add559a64b52485d251e300c1d2dd4503de8a08c73d5
SHA512

bf02164fc72977f509771b92c41706e3fb1c357c3245b7cc2aeb15ad2492320a5f834f8fc1bb8531e799fa078c8cf973373916d89478a8c8d0ba4af8abce5d72
SSDEEP

12288:GMrUPl85od7HaQBUKqzoSv0DyZ1IfNKOngDi/4ogf3bQkrkT8W1B7jcCBLwnoppi:GaUPlTlUKqzoSvUo0gO2LbkTxpHLfHKH

Score

10^/10

hancitor 0212_4377843 discovery downloader

Malware Config

Extracted

Family

hancitor

Botnet

0212_4377843

C2

http://laticivue.com/4/forum.php

http://isintilexts.ru/4/forum.php

http://sailitisk.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2736 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2716 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2716 set thread context of 2640 2716 regsvr32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2736	regsvr32.exe

pid	process
2716	regsvr32.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 2716 set thread context of 2640	2716	regsvr32.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exeregsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exe

pid process

2640 svchost.exe
2640 svchost.exe
2640 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

2692 WScript.exe

pid	process
2640	svchost.exe
2640	svchost.exe
2640	svchost.exe

pid	process
2692	WScript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2936 wrote to memory of 2716	2936	regsvr32.exe	regsvr32.exe
PID 2936 wrote to memory of 2716	2936	regsvr32.exe	regsvr32.exe
PID 2936 wrote to memory of 2716	2936	regsvr32.exe	regsvr32.exe
PID 2936 wrote to memory of 2716	2936	regsvr32.exe	regsvr32.exe
PID 2936 wrote to memory of 2716	2936	regsvr32.exe	regsvr32.exe
PID 2936 wrote to memory of 2716	2936	regsvr32.exe	regsvr32.exe
PID 2936 wrote to memory of 2716	2936	regsvr32.exe	regsvr32.exe
PID 2716 wrote to memory of 2640	2716	regsvr32.exe	svchost.exe
PID 2716 wrote to memory of 2640	2716	regsvr32.exe	svchost.exe
PID 2716 wrote to memory of 2640	2716	regsvr32.exe	svchost.exe
PID 2716 wrote to memory of 2640	2716	regsvr32.exe	svchost.exe
PID 2716 wrote to memory of 2640	2716	regsvr32.exe	svchost.exe
PID 2716 wrote to memory of 2640	2716	regsvr32.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WIS_868087283709651.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2692

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\RodQw.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\RodQw.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FBBWIU~1.ZIP

Filesize
46KB

MD5
b06a8df09f96f2571edf59bac9c1eb85

SHA1
0a01fb9a851dae892bfe22295b81e561d2dfb7ea

SHA256
711b6a37b4f858ea5f02fb2cb29b823e99ae4838adfa5c640e4d6f44cef10650

SHA512
49d99f2ae712ea141d65cf76495fe15d0c19ee51b32e37671e022760d1f4817f4ccfe73f621acd5a86ccd547132715521d8c82f9e58ef62abc0062d748323f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RodQw.txt

Filesize
137KB

MD5
daa9b06974fa5963b39e0120babe138c

SHA1
4cc4588d284bead0d6dae54761de42cd048f77a1

SHA256
f01881dbff4546bd2d66a49cc01ee09e306c025aaa4df16022eb826426f2e004

SHA512
fad62deded0a108914759bca2f5aa43948024b7032ed4f904ad3fa1e5079c4bc81a7badb31fd975c97b4bd57830f56910b3eeca3ae9fc4a3fd08722e5e0273f2

Download Submit
memory/2640-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2692-8-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2716-24-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2716-25-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2716-34-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2716-33-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing