Name | Description |
---|---|
Chanitor |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Hancitor has added Registry Run keys to establish persistence.[2] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.[1][2] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
Enterprise | T1105 | Ingress Tool Transfer |
Hancitor has the ability to download additional files from C2.[1] |
|
Enterprise | T1106 | Native API |
Hancitor has used |
|
Enterprise | T1027 | Obfuscated Files or Information |
Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.[1][2] |
|
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Hancitor has been delivered via phishing emails with malicious attachments.[2] |
.002 | Phishing: Spearphishing Link |
Hancitor has been delivered via phishing emails which contained malicious links.[1] |
||
Enterprise | T1218 | .012 | System Binary Proxy Execution: Verclsid |
Hancitor has used verclsid.exe to download and execute a malicious script.[3] |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Hancitor has relied upon users clicking on a malicious link delivered through phishing.[1] |
.002 | User Execution: Malicious File |
Hancitor has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.[2] |
||
Enterprise | T1497 | Virtualization/Sandbox Evasion |
Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.[2] |