File name: | GAM_9996757243586095.vbs |
Full analysis: | https://app.any.run/tasks/59a4c94b-c9d3-4b7c-b29b-1f42740dc7b6 |
Verdict: | Malicious activity |
Threats: | Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. |
Analysis date: | December 02, 2019, 20:23:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | E0F8841CF09ED84CAFB8B0D06BE92724 |
SHA1: | 059C26029C9BB8E1A230534E08A798618BF9870B |
SHA256: | 729AAA301C1B3CBF2CC8702DD6A1900578CDBCB609BED2B3438552E852AE21BE |
SSDEEP: | 3072:3F5ql1vw1u70zcBYTmtEofvsZc8bg/xkZWlHQj09wXPn/D+EZhbZGtHq56C05iRW:pPPRhbh/tQJbFAPEGhgqC75F |
.cnt | | | Help File Contents (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1644 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\GAM_9996757243586095.vbs.cnt | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2464 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\GAM_9996757243586095.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
328 | regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txt | C:\Windows\system32\regsvr32.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
608 | -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txt | C:\Windows\SysWOW64\regsvr32.exe | — | regsvr32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2320 | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\svchost.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2464) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2464) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2464) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2464) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2464) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum |
Operation: | write | Name: | Implementing |
Value: 1C00000001000000E3070C00010002001400180030003B01010000001E768127E028094199FEB9D127C57AFE | |||
(PID) Process: | (2464) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF |
Value: 0100000000000000D993138B4EA9D501 | |||
(PID) Process: | (2320) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2320) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2320) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2320) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2464 | WScript.exe | C:\Users\admin\AppData\Local\Temp\FEN.txt | — | |
MD5:— | SHA256:— | |||
2464 | WScript.exe | C:\Users\admin\AppData\Local\Temp\FEN.txt.zip | compressed | |
MD5:DE2838107EB2A503BC6866FFEAF8CDE5 | SHA256:4232CCC048AE1522A64BCD74A0C486D2ABEA36FA685C352E5C35BFB4E913165C | |||
2464 | WScript.exe | C:\Users\admin\AppData\Local\Temp\PbzVeQP.txt | executable | |
MD5:DAA9B06974FA5963B39E0120BABE138C | SHA256:F01881DBFF4546BD2D66A49CC01EE09E306C025AAA4DF16022EB826426F2E004 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2320 | svchost.exe | GET | 200 | 23.21.72.212:80 | http://api.ipify.org/ | US | text | 14 b | shared |
2320 | svchost.exe | POST | 200 | 178.170.248.82:80 | http://laticivue.com/4/forum.php | RU | text | 12 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2320 | svchost.exe | 23.21.72.212:80 | api.ipify.org | Amazon.com, Inc. | US | malicious |
— | — | 178.170.248.82:80 | laticivue.com | Electrics Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
api.ipify.org |
| shared |
laticivue.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2320 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
2320 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |