hancitor | 42eae0d7813c39340ec3eac60f578d04aa9c4f351d8552e1cb850382ca2746ac

Analysis

max time kernel
139s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WIS_868087283709651.vbs
Size

726KB
MD5

a21cda7e8d89d17b1bbc3c27035b132c
SHA1

357ab07a728aa6e1cadae86f47ac0ebefda296bf
SHA256

ec12eb1046c20c246ac6add559a64b52485d251e300c1d2dd4503de8a08c73d5
SHA512

bf02164fc72977f509771b92c41706e3fb1c357c3245b7cc2aeb15ad2492320a5f834f8fc1bb8531e799fa078c8cf973373916d89478a8c8d0ba4af8abce5d72
SSDEEP

12288:GMrUPl85od7HaQBUKqzoSv0DyZ1IfNKOngDi/4ogf3bQkrkT8W1B7jcCBLwnoppi:GaUPlTlUKqzoSvUo0gO2LbkTxpHLfHKH

Score

10^/10

hancitor 0212_4377843 discovery downloader

Malware Config

Extracted

Family

hancitor

Botnet

0212_4377843

http://laticivue.com/4/forum.php

http://isintilexts.ru/4/forum.php

http://sailitisk.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4136	regsvr32.exe	92

Loads dropped DLL 1 IoCs

pid	Process
3500	regsvr32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3500 set thread context of 1692	3500	regsvr32.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	svchost.exe
1692	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2408	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 3500	3960	regsvr32.exe	94
PID 3960 wrote to memory of 3500	3960	regsvr32.exe	94
PID 3960 wrote to memory of 3500	3960	regsvr32.exe	94
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	103
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	103
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	103
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	103
PID 3500 wrote to memory of 1692	3500	regsvr32.exe	103

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WIS_868087283709651.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2408

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\RodQw.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\RodQw.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RodQw.txt

Filesize
137KB

MD5
daa9b06974fa5963b39e0120babe138c

SHA1
4cc4588d284bead0d6dae54761de42cd048f77a1

SHA256
f01881dbff4546bd2d66a49cc01ee09e306c025aaa4df16022eb826426f2e004

SHA512
fad62deded0a108914759bca2f5aa43948024b7032ed4f904ad3fa1e5079c4bc81a7badb31fd975c97b4bd57830f56910b3eeca3ae9fc4a3fd08722e5e0273f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbBWiuTDzX.txt.zip

Filesize
46KB

MD5
b06a8df09f96f2571edf59bac9c1eb85

SHA1
0a01fb9a851dae892bfe22295b81e561d2dfb7ea

SHA256
711b6a37b4f858ea5f02fb2cb29b823e99ae4838adfa5c640e4d6f44cef10650

SHA512
49d99f2ae712ea141d65cf76495fe15d0c19ee51b32e37671e022760d1f4817f4ccfe73f621acd5a86ccd547132715521d8c82f9e58ef62abc0062d748323f5c

Download Submit
memory/1692-25-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/1692-29-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/1692-30-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/1692-31-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/3500-23-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download
memory/3500-24-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/3500-28-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/3500-27-0x0000000001150000-0x0000000001159000-memory.dmp

Filesize
36KB

Download