File name: | 5359626331231626.vbs |
Full analysis: | https://app.any.run/tasks/850726cb-6dcc-43b7-b8bf-169e8f73b60a |
Verdict: | Malicious activity |
Threats: | Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. |
Analysis date: | December 06, 2019, 14:25:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | E9381F83BAB68A1B29472BF001A13841 |
SHA1: | 9319E2E6DB57527925FE26184B8AD0BD94191115 |
SHA256: | 5785FD9336906685B51D4DDCE328168AB737CB997565E2E9FA12046D0D8DC2BF |
SSDEEP: | 6144:OylyTh0yw/CpCu3/oCBztLti8+TrHoLldA2lKbqAQVpZD5zTDit45JIzBMTYVFR4:vlA+j/CpfHLHy0L8P+PDt7TKRMKhu |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
992 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\5359626331231626.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2288 | regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\ieZbASxlSVMCP.txt | C:\Windows\system32\regsvr32.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
308 | -s C:\Users\admin\AppData\Local\Temp\ieZbASxlSVMCP.txt | C:\Windows\SysWOW64\regsvr32.exe | — | regsvr32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
956 | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\svchost.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (992) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (992) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (992) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (992) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (992) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum |
Operation: | write | Name: | Implementing |
Value: 1C00000001000000E3070C00050006000E001A0018007C00010000001E768127E028094199FEB9D127C57AFE | |||
(PID) Process: | (992) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF |
Value: 010000000000000093723B2341ACD501 | |||
(PID) Process: | (956) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (956) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (956) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (956) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: |
PID | Process | Filename | Type | |
---|---|---|---|---|
992 | WScript.exe | C:\Users\admin\AppData\Local\Temp\dQfIOtgF.txt | — | |
MD5:— | SHA256:— | |||
992 | WScript.exe | C:\Users\admin\AppData\Local\Temp\ieZbASxlSVMCP.txt | executable | |
MD5:61FA5854BAAB95FC806AE0624AE959AF | SHA256:0D158E3BC017D3BACC63A36C35272721586DB6C31689EE95125A1E617480217B | |||
992 | WScript.exe | C:\Users\admin\AppData\Local\Temp\dQfIOtgF.txt.zip | compressed | |
MD5:D64BB28BFA954BC3CE8F154F6D2C684C | SHA256:3CD76AA0E883CCD84398DBEBAE081AE3F329462E1E069CDF497231304F3126AA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
956 | svchost.exe | POST | 200 | 178.170.248.82:80 | http://furnandol.com/4/forum.php | RU | text | 12 b | malicious |
956 | svchost.exe | POST | 200 | 178.170.248.82:80 | http://furnandol.com/4/forum.php | RU | text | 12 b | malicious |
2004 | mscorsvw.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | der | 781 b | whitelisted |
2004 | mscorsvw.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | unknown | der | 555 b | whitelisted |
956 | svchost.exe | POST | 200 | 178.170.248.82:80 | http://furnandol.com/4/forum.php | RU | text | 12 b | malicious |
2808 | mscorsvw.exe | GET | 200 | 67.27.234.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e8f6856a441fb10b | US | compressed | 6.73 Kb | whitelisted |
956 | svchost.exe | POST | 200 | 178.170.248.82:80 | http://furnandol.com/4/forum.php | RU | text | 12 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
956 | svchost.exe | 23.23.229.94:80 | api.ipify.org | Amazon.com, Inc. | US | malicious |
956 | svchost.exe | 178.170.248.82:80 | furnandol.com | Electrics Ltd | RU | malicious |
2808 | mscorsvw.exe | 67.27.234.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
2004 | mscorsvw.exe | 2.16.186.120:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
api.ipify.org |
| shared |
furnandol.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
956 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
956 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
956 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
956 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
956 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |