| File name: | 0208_54741869750132.doc |
| Full analysis: | https://app.any.run/tasks/4a9eaf6f-1727-4636-99f1-5d677456213f |
| Verdict: | Malicious activity |
| Threats: | Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. |
| Analysis date: | February 10, 2021, 00:57:46 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MyPc, Template: 0802_20304783210485.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Feb 8 13:07:00 2021, Last Saved Time/Date: Mon Feb 8 13:07:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0 |
| MD5: | 7F6C623196D7E76C205B4FB898AD9BE6 |
| SHA1: | 408BB5B4E8AC34CE3B70BA54E00E9858CED885C0 |
| SHA256: | 3A5648F7DE99C4F87331C36983FC8ADCD667743569A19C8DAFDD5E8A33DE154D |
| SSDEEP: | 24576:pA8N8rVgYpNGhCOndGCl/LSD7aq/Iq9M:x0JkCOo6T |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 4440)
Executable content was dropped or overwritten
- WINWORD.EXE (PID: 4440)
Connects to CnC server
- rundll32.exe (PID: 4532)
Loads dropped or rewritten executable
- rundll32.exe (PID: 4532)
HANCITOR was detected
- rundll32.exe (PID: 4532)
SUSPICIOUS
Drops a file with too old compile date
- WINWORD.EXE (PID: 4440)
Uses RUNDLL32.EXE to load library
- WINWORD.EXE (PID: 4440)
- rundll32.exe (PID: 2444)
Checks for external IP
- rundll32.exe (PID: 4532)
INFO
Reads the software policy settings
- WINWORD.EXE (PID: 4440)
Reads settings of System Certificates
- WINWORD.EXE (PID: 4440)
Reads Environment values
- WINWORD.EXE (PID: 4440)
Creates files in the user directory
- WINWORD.EXE (PID: 4440)
Scans artifacts that could help determine the target
- WINWORD.EXE (PID: 4440)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 4440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (34.5) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (20.5) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | MyPc |
| Keywords: | - |
| Comments: | - |
| Template: | 0802_20304783210485.dotm |
| LastModifiedBy: | MyPc |
| RevisionNumber: | 2 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 1.0 minutes |
| CreateDate: | 2021:02:08 13:07:00 |
| ModifyDate: | 2021:02:08 13:07:00 |
| Pages: | 1 |
| Words: | 3 |
| Characters: | 19 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 21 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
90
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1172 | C:\WINDOWS\splwow64.exe 8192 | C:\WINDOWS\splwow64.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Print driver host for applications Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2444 | "C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UminslaIIF0mt | C:\Windows\System32\rundll32.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4440 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\0208_54741869750132.doc" /o "" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.12026.20264 Modules
| |||||||||||||||
| 4532 | "C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UminslaIIF0mt | C:\WINDOWS\SysWOW64\rundll32.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
2 511
Read events
2 308
Write events
164
Delete events
39
Modification events
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 0 |
Value: 017012000000001000284FFA2E02000000000000000500000000000000 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\WINWORD\4440 |
| Operation: | write | Name: | 0 |
Value: 0B0E1015F994100F369B42B652264CCDCABC55230046A3B2BDF1FCE8BFEB016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E2237746A7531514A7270614A676C575A3133564B5831454135496D464B2F5649644A30497A464862453674383D2200 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (4440) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
Executable files
2
Suspicious files
7
Text files
12
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0IEAPKKM6QTH60TG7HHA.temp | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HI4AZKAOSG7JV6REPIGY.temp | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\msohtmlclip1_PendingDelete | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Word\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Word\0208_54741869750132308672720651429565\0208_54741869750132((Autorecovered-308672720651263488)).asd | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7FD474C00F6C5550.TMP | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF085F559882FAAF58.TMP | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{037EE41A-ACB9-4CAF-A4BE-03327481FD37}.tmp | — | |
MD5:— | SHA256:— | |||
| 4440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
6
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4440 | WINWORD.EXE | GET | 200 | 13.107.42.23:443 | https://config.edge.skype.com/config/v2/Office/word/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b1094F915-360F-429B-B652-264CCDCABC55%7d&LabMachine=false | US | text | 89.2 Kb | malicious |
4532 | rundll32.exe | POST | — | 213.5.229.12:80 | http://satursed.com/8/forum.php | RU | — | — | malicious |
4532 | rundll32.exe | GET | 200 | 54.243.164.148:80 | http://api.ipify.org/ | US | text | 12 b | shared |
4532 | rundll32.exe | POST | 200 | 95.216.84.231:80 | http://sameastar.ru/8/forum.php | DE | text | 12 b | malicious |
4440 | WINWORD.EXE | POST | 200 | 52.114.32.25:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | JP | text | 9 b | whitelisted |
4440 | WINWORD.EXE | POST | 200 | 52.114.32.25:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | JP | text | 9 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4532 | rundll32.exe | 54.243.164.148:80 | api.ipify.org | Amazon.com, Inc. | US | suspicious |
4532 | rundll32.exe | 213.5.229.12:80 | satursed.com | ArtPlanet LLC | RU | malicious |
4440 | WINWORD.EXE | 52.114.32.25:443 | self.events.data.microsoft.com | Microsoft Corporation | JP | whitelisted |
4532 | rundll32.exe | 95.216.84.231:80 | sameastar.ru | Hetzner Online GmbH | DE | malicious |
4440 | WINWORD.EXE | 13.107.42.23:443 | config.edge.skype.com | Microsoft Corporation | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| malicious |
api.ipify.org |
| shared |
satursed.com |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
sameastar.ru |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4532 | rundll32.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
4532 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
4532 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2 ETPRO signatures available at the full report