Hancitor Malware | VTI by Score
Try VMRay Analyzer
VTI Score 100 / 100 | |
| VTI Database Version | 2.2 |
| VTI Rule Match Count | 34 |
| VTI Rule Type | Documents |
 | OS | Disable crucial system service | |
Disable "Windows Firewall Service" by ChangeServiceConfigW. | |||
| Injection | Write into memory of an other process | |
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" | |||
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | |||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" | |||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" modifies memory of "c:\windows\syswow64\explorer.exe" | |||
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe" | |||
| Injection | Modify control flow of an other process | |
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" alters context of "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" | |||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" alters context of "c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" | |||
| Process | Create process | |
Create process "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe". | |||
Create process "C:\Windows\SysWOW64\explorer.exe". | |||
Create process "cmd.exe \c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". | |||
Create process "C:\Windows\system32\makecab.exe". | |||
Create process "cmd.exe \c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" \extract:"C:\Windows\SysWOW64\drivers"". | |||
Create process "c:\windows\system32\wusa.exe". | |||
Create process "cmd.exe \c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab"". | |||
Create process "C:\Windows\SysWOW64\drivers\wusa.exe". | |||
Create process "C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE". | |||
Create process "cmd.exe \c net stop MpsSvc". | |||
Create process "cmd.exe \c sc config MpsSvc start= disabled". | |||
Create process "C:\Windows\system32\net.exe". | |||
Create process "C:\Windows\system32\sc.exe". | |||
Create process ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". | |||
Create process "vssadmin.exe delete shadows /all /quiet". | |||
Create process "bcdedit /set {default} recoveryenabled no". | |||
Create process "bcdedit /set {default} bootstatuspolicy ignoreallfailures". | |||
| Process | Read from memory of an other process | |
"c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe" reads from "C:\Windows\SysWOW64\explorer.exe". | |||
"c:\users\hjrd1k~1\appdata\roaming\convin~1.exe" reads from "C:\Windows\SysWOW64\explorer.exe". | |||
"c:\windows\syswow64\explorer.exe" reads from ""C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome". | |||
| Network | Perform DNS request | |
Resolve "foandrenla.com". | |||
| PE | Execute dropped PE file | |
Execute dropped file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". | |||
| PE | Drop PE file | |
Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe". | |||
Drop file "c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll". | |||
| VBA Macro | Ability to read/write files | |
cynodon = FreeFile | |||
| VBA Macro | Execute macro on specific worksheet event | |
Execute macro on "Activate Workbook" event. | |||
