Hancitor Malware | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2016-10-20 18:25 (UTC+2)
VM Analysis Duration Time 00:02:26
Execution Successful True
Sample Filename quickbooks_expenses_report_6241186.doc
Command Line Parameters False
Prescript False
Number of Processes 27
Termination Reason Timeout
Download Function Logfile Generic Logfile PCAP STIX/CybOX
VTI Information
VTI Score
100 / 100
VTI Database Version 2.2
VTI Rule Match Count 34
VTI Rule Type Documents
Tags
The tags feature is only available in the fully licensed version of VMRay Analyzer.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Image Name Command Line Origin ID
#1 0x85c Analysis Target winword.exe "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE"
#2 0x998 Modified File convincingly.exe "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe" #1
#3 0x9c4 Child Process convincingly.exe "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe" #2
#4 0x9d0 Child Process explorer.exe C:\Windows\SysWOW64\explorer.exe #3
#5 0x9d8 Child Process cmd.exe cmd.exe /c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" #4
#6 0x9f0 Child Process makecab.exe makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" #5
#7 0x9f8 Child Process cmd.exe cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #4
#8 0xa10 Child Process wusa.exe c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #7
#9 0xa20 Child Process wusa.exe "C:\windows\system32\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #7
#10 0xa98 Child Process wusa.exe "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #7
#11 0xaac Child Process cmd.exe cmd.exe /c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" #4
#12 0xac4 Child Process makecab.exe makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" #11
#13 0xacc Child Process cmd.exe cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #4
#14 0xae4 Child Process wusa.exe c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #13
#15 0xaf4 Child Process wusa.exe "C:\windows\system32\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #13
#16 0xb28 Child Process wusa.exe "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" #13
#17 0xb70 Child Process wusa.exe "C:\Windows\SysWOW64\drivers\wusa.exe" #4
#18 0xb7c Child Process convin~1.exe C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE #17
#19 0xbd0 Child Process convin~1.exe C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE #18
#20 0xbd8 Child Process explorer.exe C:\Windows\SysWOW64\explorer.exe #19
#21 0xbe0 Child Process cmd.exe cmd.exe /c net stop MpsSvc #20
#22 0xbe8 Child Process cmd.exe cmd.exe /c sc config MpsSvc start= disabled #20
#23 0x844 Child Process net.exe net stop MpsSvc #21
#24 0x854 Child Process sc.exe sc config MpsSvc start= disabled #22
#25 0x83c Child Process net1.exe C:\Windows\system32\net1 stop MpsSvc #23
#26 0x834 Child Process iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome #20
#27 0x828 Child Process vssadmin.exe vssadmin.exe delete shadows /all /quiet #26
Sample Information
ID #630353
MD5 Hash Value cbb60bfa61964f0fddb792cb4e2bce2c
SHA1 Hash Value 79b146a68010592fb40aa240bfbd8f8b45778e5a
SHA256 Hash Value 2a6ed4487df71f0adffebeb42c6dd183a422fbf948dbf77e7f1631dcdeaae524
Filename quickbooks_expenses_report_6241186.doc
File Size 312.50 KB (320000 bytes)
File Type Word Document
Has VBA Macros True
Analyzer and Virtual Machine Information
Analyzer Version 1.11.0
Analyzer Build Date 2016-09-19 10:58 (UTC+2)
Microsoft Office Version 2016
Microsoft Word Version 16.0.4266.1003
VM Name win7_64_sp1-mso2016
VM Description Windows 7 (SP1, 64-bit), MS Office 2016 (64-bit)
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image