analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0208_54741869750132.doc

Full analysis: https://app.any.run/tasks/4a9eaf6f-1727-4636-99f1-5d677456213f
Verdict: Malicious activity
Threats:

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Analysis date: February 10, 2021, 00:57:46
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
ole-embedded
macros-on-open
generated-doc
evasion
trojan
hancitor
maldoc-57
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MyPc, Template: 0802_20304783210485.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Feb 8 13:07:00 2021, Last Saved Time/Date: Mon Feb 8 13:07:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
MD5:

7F6C623196D7E76C205B4FB898AD9BE6

SHA1:

408BB5B4E8AC34CE3B70BA54E00E9858CED885C0

SHA256:

3A5648F7DE99C4F87331C36983FC8ADCD667743569A19C8DAFDD5E8A33DE154D

SSDEEP:

24576:pA8N8rVgYpNGhCOndGCl/LSD7aq/Iq9M:x0JkCOo6T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 4532)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4440)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 4440)
    • HANCITOR was detected

      • rundll32.exe (PID: 4532)
    • Connects to CnC server

      • rundll32.exe (PID: 4532)
  • SUSPICIOUS

    • Checks for external IP

      • rundll32.exe (PID: 4532)
    • Drops a file with too old compile date

      • WINWORD.EXE (PID: 4440)
    • Uses RUNDLL32.EXE to load library

      • rundll32.exe (PID: 2444)
      • WINWORD.EXE (PID: 4440)
  • INFO

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 4440)
    • Reads Environment values

      • WINWORD.EXE (PID: 4440)
    • Reads the software policy settings

      • WINWORD.EXE (PID: 4440)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 4440)
    • Scans artifacts that could help determine the target

      • WINWORD.EXE (PID: 4440)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (34.5)
.doc | Microsoft Word document (old ver.) (20.5)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 21
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 19
Words: 3
Pages: 1
ModifyDate: 2021:02:08 13:07:00
CreateDate: 2021:02:08 13:07:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: MyPc
Template: 0802_20304783210485.dotm
Comments: -
Keywords: -
Author: MyPc
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe splwow64.exe no specs rundll32.exe no specs #HANCITOR rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
4440"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\0208_54741869750132.doc" /o ""C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.12026.20264
1172C:\WINDOWS\splwow64.exe 8192C:\WINDOWS\splwow64.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Print driver host for applications
Version:
10.0.16299.15 (WinBuild.160101.0800)
2444"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UminslaIIF0mtC:\Windows\System32\rundll32.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.16299.15 (WinBuild.160101.0800)
4532"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UminslaIIF0mtC:\WINDOWS\SysWOW64\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
2 511
Read events
2 308
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
7
Text files
12
Unknown types
8

Dropped files

PID
Process
Filename
Type
4440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0IEAPKKM6QTH60TG7HHA.temp
MD5:
SHA256:
4440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HI4AZKAOSG7JV6REPIGY.temp
MD5:
SHA256:
4440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\msohtmlclip1_PendingDelete
MD5:
SHA256:
4440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Word\~WRD0000.tmp
MD5:
SHA256:
4440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Word\0208_54741869750132308672720651429565\0208_54741869750132((Autorecovered-308672720651263488)).asd
MD5:
SHA256:
4440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7FD474C00F6C5550.TMP
MD5:
SHA256:
4440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:C54FC3FD7F150762DF90584D25C4467D
SHA256:66778DD8F34D52A7EE3948EE879690D8F6B2B94ABB185ADC36DC4DC69EE608C8
4440WINWORD.EXEC:\Users\admin\Desktop\~$08_54741869750132.docpgc
MD5:48CFDB6835C991369398A8BC423E0ECA
SHA256:60952E8D0BE316E6BCC183F53FC7E96AA15DFF1EDFC9D1351E04419970B14E33
4440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Word\~WRL0001.tmpdocument
MD5:60257272270BE1A688A0D96902457B18
SHA256:5D6D42CF719F5F1FDD7C4F0DCCAE43AF98CA343D4AA60DA9B5537CC2C1C1380F
4440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Word\0208_54741869750132308672720651429565\0208_54741869750132.doc.lnklnk
MD5:A94209AE9BEE762703F5DAE0CA60BE34
SHA256:3ADC0757B69951F9E23C9200F70BDA65C3620311867057E3CA20D59D7FFA3BCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4532
rundll32.exe
POST
213.5.229.12:80
http://satursed.com/8/forum.php
RU
malicious
4532
rundll32.exe
POST
200
95.216.84.231:80
http://sameastar.ru/8/forum.php
DE
text
12 b
malicious
4532
rundll32.exe
GET
200
54.243.164.148:80
http://api.ipify.org/
US
text
12 b
shared
4440
WINWORD.EXE
GET
200
13.107.42.23:443
https://config.edge.skype.com/config/v2/Office/word/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b1094F915-360F-429B-B652-264CCDCABC55%7d&LabMachine=false
US
text
89.2 Kb
whitelisted
4440
WINWORD.EXE
POST
200
52.114.32.25:443
https://self.events.data.microsoft.com/OneCollector/1.0/
JP
text
9 b
whitelisted
4440
WINWORD.EXE
POST
200
52.114.32.25:443
https://self.events.data.microsoft.com/OneCollector/1.0/
JP
text
9 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4532
rundll32.exe
213.5.229.12:80
satursed.com
ArtPlanet LLC
RU
malicious
4440
WINWORD.EXE
52.114.32.25:443
self.events.data.microsoft.com
Microsoft Corporation
JP
whitelisted
4532
rundll32.exe
54.243.164.148:80
api.ipify.org
Amazon.com, Inc.
US
suspicious
4532
rundll32.exe
95.216.84.231:80
sameastar.ru
Hetzner Online GmbH
DE
malicious
4440
WINWORD.EXE
13.107.42.23:443
config.edge.skype.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.23
whitelisted
api.ipify.org
  • 54.243.164.148
  • 54.235.189.250
  • 23.21.252.4
  • 23.21.76.253
  • 54.235.142.93
  • 23.21.140.41
  • 54.221.253.252
  • 50.19.252.36
shared
satursed.com
  • 213.5.229.12
malicious
self.events.data.microsoft.com
  • 52.114.32.25
  • 138.91.140.216
whitelisted
sameastar.ru
  • 95.216.84.231
malicious

Threats

PID
Process
Class
Message
4532
rundll32.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
4532
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
4532
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
2 ETPRO signatures available at the full report
No debug info