| File name: | help.doc |
| Full analysis: | https://app.any.run/tasks/c9e51f6a-4e3c-462f-9305-e8ea6ee6595b |
| Verdict: | Malicious activity |
| Threats: | Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. |
| Analysis date: | August 02, 2022, 07:17:00 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/encrypted |
| File info: | CDFV2 Encrypted |
| MD5: | B259E7D25E95EE65052D6DB146BCFE24 |
| SHA1: | B788506181233087E4AFF0CAFF8755E2C32733EF |
| SHA256: | 106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 |
| SSDEEP: | 1536:lePhCq5vJl18xTGz9MGMd+w3YwRxU+0gB0U/ymYomGgekV5f6Rfy6YP9+bnLMQ4E:gZvVMTGZMLLxNztymYLek+j08bLMQAd |
MALICIOUS
Executable content was dropped or overwritten
- WINWORD.EXE (PID: 3160)
Drops executable file immediately after starts
- WINWORD.EXE (PID: 3160)
Loads dropped or rewritten executable
- rundll32.exe (PID: 3888)
HANCITOR detected by memory dumps
- rundll32.exe (PID: 3888)
SUSPICIOUS
Checks supported languages
- cmd.exe (PID: 1716)
- cmd.exe (PID: 968)
Application launched itself
- cmd.exe (PID: 968)
Drops a file with a compile date too recent
- WINWORD.EXE (PID: 3160)
Checks for external IP
- rundll32.exe (PID: 3888)
INFO
Checks supported languages
- WINWORD.EXE (PID: 3160)
- PING.EXE (PID: 1572)
- PING.EXE (PID: 2332)
- rundll32.exe (PID: 3888)
Reads the computer name
- PING.EXE (PID: 2332)
- WINWORD.EXE (PID: 3160)
- PING.EXE (PID: 1572)
- rundll32.exe (PID: 3888)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Hancitor
(PID) Process(3888) rundll32.exe
Hosts (3)http://hiltustra.com/9/forum.php
http://corelince.ru/9/forum.php
http://mernwel.ru/9/forum.php
Hosts (3)http://hiltustra.com/9/forum.php
http://corelince.ru/9/forum.php
http://mernwel.ru/9/forum.php
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3160 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\help.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 968 | cmd.exe /c cd c:\users\admin\appdata\roaming\microsoft\templates && ping localhost -n 10 && c:\users\admin\appdata\roaming\microsoft\templates/1.bat | C:\Windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2332 | ping localhost -n 10 | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1716 | cmd.exe /c ping localhost -n 10 | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1572 | ping localhost -n 10 | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3888 | rundll32.exe iff.bin,WCWGVXGWTDGAWLW | C:\Windows\system32\rundll32.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Hancitor(PID) Process(3888) rundll32.exe Hosts (3)http://hiltustra.com/9/forum.php http://corelince.ru/9/forum.php http://mernwel.ru/9/forum.php (PID) Process(3888) rundll32.exe Hosts (3)http://hiltustra.com/9/forum.php http://corelince.ru/9/forum.php http://mernwel.ru/9/forum.php | |||||||||||||||
Total events
3 173
Read events
3 056
Write events
91
Delete events
26
Modification events
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | >"> |
Value: 3E223E00580C0000010000000000000000000000 | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
| (PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: Off | |||
Executable files
2
Suspicious files
5
Text files
2
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR42BE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD1640731C2C8F0B0.TMP | binary | |
MD5:B259E7D25E95EE65052D6DB146BCFE24 | SHA256:106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB8E17B4D58F24700.TMP | binary | |
MD5:B259E7D25E95EE65052D6DB146BCFE24 | SHA256:106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7EA3B2954B6AA735.TMP | binary | |
MD5:B259E7D25E95EE65052D6DB146BCFE24 | SHA256:106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$help.doc | pgc | |
MD5:3865BDE3E442A6E838274658391D6859 | SHA256:BD8B8430C0EAFC62E5821830A12D791A039A5453DFAD2FA7FC8A9195DDBA9750 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BE8D99C.emf | emf | |
MD5:CC968E088CABC731BCFF725EA8DD5888 | SHA256:7FB350B0369BC587B1B7EE4FF38B3C941E70B3400CEBB73E63C90F3F73E0AE47 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\if.bin | executable | |
MD5:9F09B1DD6235C28B091A7DBC9BCD9482 | SHA256:571CBA0431ACEA4739C5248DE1B1D33E76E995B3C7454F4D88D2785ADE6FDF74 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{58CDF0E3-AFD6-46D6-9331-45A56AB78200}.tmp | binary | |
MD5:84E05BD008134F0172BE791C5069ECF2 | SHA256:47A12F4287CA9F25516D2248A4F613C4962E54E7DAE87A5E800595A53C5DB6E1 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B50D8837-DA0E-4230-895E-93FB3D3A25DE}.tmp | binary | |
MD5:0B6BE54B077FECD8A9B253270BE92658 | SHA256:F191CCCC1C507101F72FEA8C735E4A7652270F2124AACF05DC624296E20BFA49 | |||
| 3160 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9EC324D810D295ED7FAFE75C9F4207CE | SHA256:C7D40D6CB2361EAFF52256DDC5CDDBB2A763CB4EBD4299DEB3EA83FB06F72685 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
13
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3888 | rundll32.exe | GET | 200 | 3.232.242.170:80 | http://api.ipify.org/ | US | text | 13 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 3.232.242.170:80 | api.ipify.org | — | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.ipify.org |
| shared |
hiltustra.com |
| malicious |
dns.msftncsi.com |
| shared |
corelince.ru |
| unknown |
mernwel.ru |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |