analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.wichitawindowanddoor.co/63943_54783.php

Full analysis: https://app.any.run/tasks/ad20009b-d713-44a0-9ad4-50e0e6d22521
Verdict: Malicious activity
Threats:

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 17:53:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
hancitor
Indicators:
MD5:

3FAE0C9D4661874EE24A3CF3B50090CC

SHA1:

6B84703804CCF57986D846C4BA1AC1B7231B0B10

SHA256:

AB1F1F2934B5B8B262688676A1DC557ED50E5B23852E149910DA1EA3CADF18EE

SSDEEP:

3:N1KJS4iMQ9dKl1Vn:Cc4iBGl1V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3908)

    • Uses SVCHOST.EXE for hidden code execution

      • regsvr32.exe (PID: 3908)

    • HANCITOR was detected

      • svchost.exe (PID: 3796)

    • Connects to CnC server

      • svchost.exe (PID: 3796)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 1016)

    • Executes scripts

      • WinRAR.exe (PID: 2884)

    • Executed via WMI

      • regsvr32.exe (PID: 3908)

    • Checks for external IP

      • svchost.exe (PID: 3796)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 2880)
      • iexplore.exe (PID: 2356)

    • Application launched itself

      • iexplore.exe (PID: 2880)

    • Changes internet zones settings

      • iexplore.exe (PID: 2880)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2356)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe regsvr32.exe no specs #HANCITOR svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.wichitawindowanddoor.co/63943_54783.php"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2356"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2880 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2884"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NTAJRYD7\B2596789099299434_2374[1].zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1016"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2884.34676\2596789099299434.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3908regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\TFzuPCNCbMDe.txtC:\Windows\system32\regsvr32.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3796C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 512
Read events
1 410
Write events
99
Delete events
3

Modification events

(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{57C05DC9-1851-11EA-AB41-5254004A04AF}
Value:
0
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(2880) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070C0005000600110035002C00D301
Executable files
1
Suspicious files
3
Text files
8
Unknown types
6

Dropped files

PID
Process
Filename
Type
2880iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2880iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2880iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFDDE2CD7A5E717DA1.TMP
MD5:
SHA256:
2880iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF696FCF4FC4A9F5F1.TMP
MD5:
SHA256:
2880iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{57C05DC9-1851-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
1016WScript.exeC:\Users\admin\AppData\Local\Temp\KGWG.txt
MD5:
SHA256:
2356iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:726203A4658324F8A42A3EEC9E757B2F
SHA256:93FA952C7DA02AB6D0CEE3326DD7B3327313439D351F69D91BC400D625CC2A70
1016WScript.exeC:\Users\admin\AppData\Local\Temp\KGWG.txt.zipcompressed
MD5:FB26D045E0411C9015A4805C6490E7D0
SHA256:2A99CE3F8F1B1F2C4B7C504EE6884846AA7C52B9B9E99A80EF0DEDC2D9C8E0E5
2356iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019120620191207\index.datdat
MD5:ABC8EA1BCEBB6681B32027F96C5F0EB1
SHA256:63455EBAFC4FA4C806AA8BE61C2AEF74D27B92298AFC08BE2E325BCFA26B511E
2880iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NTAJRYD7\B2596789099299434_2374[1].zip:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
iexplore.exe
GET
200
47.245.55.44:80
http://www.wichitawindowanddoor.co/63943_54783.php
US
compressed
197 Kb
unknown
3796
svchost.exe
GET
200
23.23.83.153:80
http://api.ipify.org/
US
text
12 b
shared
3796
svchost.exe
POST
200
178.170.248.82:80
http://furnandol.com/4/forum.php
RU
text
12 b
malicious
2880
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3796
svchost.exe
POST
200
178.170.248.82:80
http://furnandol.com/4/forum.php
RU
text
12 b
malicious
3796
svchost.exe
POST
200
178.170.248.82:80
http://furnandol.com/4/forum.php
RU
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2356
iexplore.exe
47.245.55.44:80
www.wichitawindowanddoor.co
US
unknown
2880
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3796
svchost.exe
178.170.248.82:80
furnandol.com
Electrics Ltd
RU
malicious
3796
svchost.exe
23.23.83.153:80
api.ipify.org
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.wichitawindowanddoor.co
  • 47.245.55.44
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.ipify.org
  • 23.23.83.153
  • 54.225.92.64
  • 107.22.249.177
  • 50.19.218.16
  • 54.225.169.250
  • 54.225.243.96
  • 23.21.72.212
  • 54.243.147.226
shared
furnandol.com
  • 178.170.248.82
malicious

Threats

PID
Process
Class
Message
3796
svchost.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
3796
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
3796
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
3796
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.wichitawindowanddoor.co/63943_54783.php