hancitor | 42eae0d7813c39340ec3eac60f578d04aa9c4f351d8552e1cb850382ca2746ac

General

Target

WIS_868087283709651.vbs
Size

726KB
MD5

a21cda7e8d89d17b1bbc3c27035b132c
SHA1

357ab07a728aa6e1cadae86f47ac0ebefda296bf
SHA256

ec12eb1046c20c246ac6add559a64b52485d251e300c1d2dd4503de8a08c73d5
SHA512

bf02164fc72977f509771b92c41706e3fb1c357c3245b7cc2aeb15ad2492320a5f834f8fc1bb8531e799fa078c8cf973373916d89478a8c8d0ba4af8abce5d72
SSDEEP

12288:GMrUPl85od7HaQBUKqzoSv0DyZ1IfNKOngDi/4ogf3bQkrkT8W1B7jcCBLwnoppi:GaUPlTlUKqzoSvUo0gO2LbkTxpHLfHKH

Score

10^/10

hancitor 0212_4377843 discovery downloader

Malware Config

Extracted

Family

hancitor

Botnet

0212_4377843

C2

http://laticivue.com/4/forum.php

http://isintilexts.ru/4/forum.php

http://sailitisk.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 4136 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3500 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3500 set thread context of 1692 3500 regsvr32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4136	regsvr32.exe

pid	process
3500	regsvr32.exe

flow	ioc
48	api.ipify.org

description	pid	process	target process
PID 3500 set thread context of 1692	3500	regsvr32.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

1692 svchost.exe
1692 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

2408 WScript.exe

pid	process
1692	svchost.exe
1692	svchost.exe

pid	process
2408	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3960 wrote to memory of 3500	3960	regsvr32.exe	regsvr32.exe
PID 3960 wrote to memory of 3500	3960	regsvr32.exe	regsvr32.exe
PID 3960 wrote to memory of 3500	3960	regsvr32.exe	regsvr32.exe
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	svchost.exe
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	svchost.exe
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	svchost.exe
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	svchost.exe
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	svchost.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WIS_868087283709651.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2408

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\RodQw.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\RodQw.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RodQw.txt

Filesize
137KB

MD5
daa9b06974fa5963b39e0120babe138c

SHA1
4cc4588d284bead0d6dae54761de42cd048f77a1

SHA256
f01881dbff4546bd2d66a49cc01ee09e306c025aaa4df16022eb826426f2e004

SHA512
fad62deded0a108914759bca2f5aa43948024b7032ed4f904ad3fa1e5079c4bc81a7badb31fd975c97b4bd57830f56910b3eeca3ae9fc4a3fd08722e5e0273f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbBWiuTDzX.txt.zip

Filesize
46KB

MD5
b06a8df09f96f2571edf59bac9c1eb85

SHA1
0a01fb9a851dae892bfe22295b81e561d2dfb7ea

SHA256
711b6a37b4f858ea5f02fb2cb29b823e99ae4838adfa5c640e4d6f44cef10650

SHA512
49d99f2ae712ea141d65cf76495fe15d0c19ee51b32e37671e022760d1f4817f4ccfe73f621acd5a86ccd547132715521d8c82f9e58ef62abc0062d748323f5c

Download Submit
memory/1692-25-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/1692-29-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/1692-30-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/1692-31-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/3500-23-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download
memory/3500-24-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/3500-28-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/3500-27-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing