File name: | help.doc |
Full analysis: | https://app.any.run/tasks/c9e51f6a-4e3c-462f-9305-e8ea6ee6595b |
Verdict: | Malicious activity |
Threats: | Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. |
Analysis date: | August 02, 2022, 07:17:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | B259E7D25E95EE65052D6DB146BCFE24 |
SHA1: | B788506181233087E4AFF0CAFF8755E2C32733EF |
SHA256: | 106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 |
SSDEEP: | 1536:lePhCq5vJl18xTGz9MGMd+w3YwRxU+0gB0U/ymYomGgekV5f6Rfy6YP9+bnLMQ4E:gZvVMTGZMLLxNztymYLek+j08bLMQAd |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3160 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\help.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
968 | cmd.exe /c cd c:\users\admin\appdata\roaming\microsoft\templates && ping localhost -n 10 && c:\users\admin\appdata\roaming\microsoft\templates/1.bat | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2332 | ping localhost -n 10 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1716 | cmd.exe /c ping localhost -n 10 | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1572 | ping localhost -n 10 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3888 | rundll32.exe iff.bin,WCWGVXGWTDGAWLW | C:\Windows\system32\rundll32.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) Hancitor(PID) Process(3888) rundll32.exe Hosts (3)http://hiltustra.com/9/forum.php http://corelince.ru/9/forum.php http://mernwel.ru/9/forum.php (PID) Process(3888) rundll32.exe Hosts (3)http://hiltustra.com/9/forum.php http://corelince.ru/9/forum.php http://mernwel.ru/9/forum.php |
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | >"> |
Value: 3E223E00580C0000010000000000000000000000 | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (3160) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR42BE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B50D8837-DA0E-4230-895E-93FB3D3A25DE}.tmp | binary | |
MD5:0B6BE54B077FECD8A9B253270BE92658 | SHA256:F191CCCC1C507101F72FEA8C735E4A7652270F2124AACF05DC624296E20BFA49 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$help.doc | pgc | |
MD5:3865BDE3E442A6E838274658391D6859 | SHA256:BD8B8430C0EAFC62E5821830A12D791A039A5453DFAD2FA7FC8A9195DDBA9750 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\if.bin | executable | |
MD5:9F09B1DD6235C28B091A7DBC9BCD9482 | SHA256:571CBA0431ACEA4739C5248DE1B1D33E76E995B3C7454F4D88D2785ADE6FDF74 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{58CDF0E3-AFD6-46D6-9331-45A56AB78200}.tmp | binary | |
MD5:84E05BD008134F0172BE791C5069ECF2 | SHA256:47A12F4287CA9F25516D2248A4F613C4962E54E7DAE87A5E800595A53C5DB6E1 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\iff.bin | executable | |
MD5:9F09B1DD6235C28B091A7DBC9BCD9482 | SHA256:571CBA0431ACEA4739C5248DE1B1D33E76E995B3C7454F4D88D2785ADE6FDF74 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB8E17B4D58F24700.TMP | binary | |
MD5:B259E7D25E95EE65052D6DB146BCFE24 | SHA256:106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BE8D99C.emf | emf | |
MD5:CC968E088CABC731BCFF725EA8DD5888 | SHA256:7FB350B0369BC587B1B7EE4FF38B3C941E70B3400CEBB73E63C90F3F73E0AE47 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD1640731C2C8F0B0.TMP | binary | |
MD5:B259E7D25E95EE65052D6DB146BCFE24 | SHA256:106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7EA3B2954B6AA735.TMP | binary | |
MD5:B259E7D25E95EE65052D6DB146BCFE24 | SHA256:106A02E6E6452320F7F5425DBFBC8B126AC331D3C758417B08AB80B8AAA91846 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3888 | rundll32.exe | GET | 200 | 3.232.242.170:80 | http://api.ipify.org/ | US | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 3.232.242.170:80 | api.ipify.org | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
api.ipify.org |
| shared |
hiltustra.com |
| malicious |
dns.msftncsi.com |
| shared |
corelince.ru |
| unknown |
mernwel.ru |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3888 | rundll32.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |