Hancitor Malware | VTI by Category
Try VMRay Analyzer
VTI Score 100 / 100 | |
| VTI Database Version | 2.2 |
| VTI Rule Match Count | 34 |
| VTI Rule Type | Documents |
 | Injection | |
| Write into memory of an other process | |
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" | ||
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | ||
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe" | ||
| Modify control flow of an other process | |
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" alters context of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" alters context of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" | ||
| Network | |
| Perform DNS request | |
Resolve "foandrenla.com". | ||
| OS | |
| Disable crucial system service | |
Disable "Windows Firewall Service" by ChangeServiceConfigW. | ||
| PE | |
| Execute dropped PE file | |
Execute dropped file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". | ||
| Drop PE file | |
Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". | ||
Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll". | ||
| Process | |
| Create process | |
Create process "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe". | ||
Create process "C:\Windows\SysWOW64\explorer.exe". | ||
Create process "cmd.exe \c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". | ||
Create process "C:\Windows\system32\makecab.exe". | ||
Create process "cmd.exe \c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" \extract:"C:\Windows\SysWOW64\drivers"". | ||
Create process "c:\windows\system32\wusa.exe". | ||
Create process "cmd.exe \c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". | ||
Create process "C:\Windows\SysWOW64\drivers\wusa.exe". | ||
Create process "C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE". | ||
Create process "cmd.exe \c net stop MpsSvc". | ||
Create process "cmd.exe \c sc config MpsSvc start= disabled". | ||
Create process "C:\Windows\system32\net.exe". | ||
Create process "C:\Windows\system32\sc.exe". | ||
Create process ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". | ||
Create process "vssadmin.exe delete shadows /all /quiet". | ||
Create process "bcdedit /set {default} recoveryenabled no". | ||
Create process "bcdedit /set {default} bootstatuspolicy ignoreallfailures". | ||
| Read from memory of an other process | |
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" reads from "C:\Windows\SysWOW64\explorer.exe". | ||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" reads from "C:\Windows\SysWOW64\explorer.exe". | ||
"c:\windows\syswow64\explorer.exe" reads from ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". | ||
| VBA Macro | |
| Ability to read/write files | |
cynodon = FreeFile | ||
| Execute macro on specific worksheet event | |
Execute macro on "Activate Workbook" event. | ||
| - | Anti Analysis | |
| - | Browser | |
| - | Device | |
| - | File System | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | Persistence | |
| - | YARA | |
