Hancitor
Associated Software Descriptions
| Name | Description |
|---|---|
| Chanitor |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.[1][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Hancitor has added Registry Run keys to establish persistence.[2] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| Enterprise | T1106 | 本机API |
Hancitor has used |
|
| Enterprise | T1027 | 混淆文件或信息 |
Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.[1][2] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Hancitor has relied upon users clicking on a malicious link delivered through phishing.[1] |
| .002 | 用户执行: Malicious File |
Hancitor has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.[2] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1218 | .012 | 系统二进制代理执行: Verclsid |
Hancitor has used verclsid.exe to download and execute a malicious script.[3] |
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.[2] |
|
| Enterprise | T1105 | 输入工具传输 |
Hancitor has the ability to download additional files from C2.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Hancitor has been delivered via phishing emails with malicious attachments.[2] |
| .002 | 钓鱼: Spearphishing Link |
Hancitor has been delivered via phishing emails which contained malicious links.[1] |
||