Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
16-03-2023 16:23
General
-
Target
https://ums.koreanair.com/Check.html?redirectUrl=9JRD01MTM=&U1RZUEU9TUFTUw=TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=E9TVF9JRD0=MDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=0lORD1D&Q0lEPTAwMg=URL=http=:**Aums.koreanair.com*Check.html*redirectUrl=9JRD01MTMy&U1RZUEU9TUFT=w=TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=E9TVF9JRD0yMDE5MDkyMzAwMDAy&=mp;VEM9MjAxOTEwMjM=0lORD1D&Q0lEPTAwMg=URL=https:**Akfp.cl*wepok*=p-auth*lvcxn8**[email protected]__;Ly8vPy8vLy8vLy8v!!BB=_p3AAtQ!NZB1_R5tex6nrgN3OhhSJj6jWi9a6yOOvYPS5anHG7fW81bLQbXJq2A8WZ8Jbd0svJ=yQ5TF6dQni55yHrDy5LllRn6QoNjSCg$
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://ums.koreanair.com/Check.html?redirectUrl=9JRD01MTM=&U1RZUEU9TUFTUw=TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=E9TVF9JRD0=MDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=0lORD1D&Q0lEPTAwMg=URL=http=:**Aums.koreanair.com*Check.html*redirectUrl=9JRD01MTMy&U1RZUEU9TUFT=w=TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=E9TVF9JRD0yMDE5MDkyMzAwMDAy&=mp;VEM9MjAxOTEwMjM=0lORD1D&Q0lEPTAwMg=URL=https:**Akfp.cl*wepok*=p-auth*lvcxn8**[email protected]__;Ly8vPy8vLy8vLy8v!!BB=_p3AAtQ!NZB1_R5tex6nrgN3OhhSJj6jWi9a6yOOvYPS5anHG7fW81bLQbXJq2A8WZ8Jbd0svJ=yQ5TF6dQni55yHrDy5LllRn6QoNjSCg$1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://ums.koreanair.com/Check.html?redirectUrl=9JRD01MTM=&U1RZUEU9TUFTUw=TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=E9TVF9JRD0=MDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=0lORD1D&Q0lEPTAwMg=URL=http=:**Aums.koreanair.com*Check.html*redirectUrl=9JRD01MTMy&U1RZUEU9TUFT=w=TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=E9TVF9JRD0yMDE5MDkyMzAwMDAy&=mp;VEM9MjAxOTEwMjM=0lORD1D&Q0lEPTAwMg=URL=https:**Akfp.cl*wepok*=p-auth*lvcxn8**[email protected]__;Ly8vPy8vLy8vLy8v!!BB=_p3AAtQ!NZB1_R5tex6nrgN3OhhSJj6jWi9a6yOOvYPS5anHG7fW81bLQbXJq2A8WZ8Jbd0svJ=yQ5TF6dQni55yHrDy5LllRn6QoNjSCg$2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.0.1129109453\1013423590" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d5cd2b1-5a57-435c-8359-38c073cf31cb} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 1924 207365c7e58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.1.661734737\2014832035" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21628 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fd47d66-4a57-44dd-b110-c69ed750cf4e} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2424 2072967dd58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.2.1756558733\2003687858" -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 21711 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9260a152-f786-4d90-8279-6d415cd3b515} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3260 2073a3d0e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.3.1170216101\1140280095" -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f2dc4f5-6565-4325-9767-c46cb4ee0444} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4064 207398ecb58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.5.1608657940\41302877" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4680 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a217de9-e6f4-4891-859c-814d3fd72dc0} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4936 2073c387f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.6.1593513981\1614510321" -childID 5 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab79f226-d39c-4ae6-bf9a-c32ea84508b9} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4956 2073c388858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.4.820990599\1720845422" -childID 3 -isForBrowser -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bb73eb9-df2a-42af-93fd-09d951bc2e7a} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4776 2073c387c58 tab3⤵
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 1008 -ip 10081⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1008 -s 20201⤵
- Program crash
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD55fab17e89df949c2bccf2feda5d78cf4
SHA1df01688d12842c7409f80c372576dd7b71a55636
SHA2567453610bdf5ef46a1030a55fc97b2176d95dc5cc26ad52deaec6097960b120b2
SHA512e128faa442325ea23de84bdf293142a54b2c863e6465ec3ad772172d16fbc43107784c89304c4d6c46e567db34992a1b7d3d6a4daf3808838da851a88f91fd9a
-
Filesize
9KB
MD5bc3aef8ed61649720919b6a9a3bf5923
SHA17cbf685c06db8b34be8d57736fa17aa13bdea06b
SHA256a10d4a6bec1f0feaa12edf6e60f1145ff0989ee08db4aed3bbc2bd4512932a78
SHA51284d0a58e5856be1023e3d1579a292a6c9a7d24956bc33e9dd21d323cce1e496ddd3b43cffc0efb428018a80cc2a12ab666d26c5bb9ec5c4fb3100d0e260e10ea
-
Filesize
14KB
MD53e68140cf5a8168b91691f92ba191c70
SHA1bfada092b0e76292684ae4b94eff2d989a4d378c
SHA2560067041662fda17c26d7d6d40d64f8e611ad731557a194db95234a85c90382fc
SHA5126031008b44afd30be82151c963a7901d5536ac81d2925f37dc014a55fa04f982bdce9fd8301bf8c968001f06ddcd44d720ef312d09d2bcba40f5afe093f0d2b2
-
Filesize
14KB
MD5f1a88eb819e646bd49775b6469f85035
SHA1652eafa153caff0253403a96c0b61d8f990efeaa
SHA25653e78d8a2c4b62cd926af3ae286c70dda14761a42e67275709c9ad1d316312c0
SHA51291025d5cbe58e8f29bbcd825a304e0db43a2ef63d7edd6b10e1df664df913deac9c9ce89485c0a65208f05647e089334b893f6248ff2e25bd607f03c280c3d59
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5c5f78a958d60498408247838967715f2
SHA1f52cb74ddb7210fefe603b2fca9e089d657792fd
SHA25686c1f820bd1fabcefa54c77b31ffff96117e5ff00e52b640ea775cd66b657d05
SHA512f0c5a6412d3754d4971c43509e65159b420a32b9ecdf67bcbbb841148c4758d62598721b5b59a69255c8265932ff1e0632cb6217d753e39a1a6a812829d34e78
-
Filesize
6KB
MD50cc475b7037beea0f933a5904182f042
SHA1db199392be0a3a2db649cbd3d4d2d6c4f8e0709d
SHA256353afee0a91a1e4ec907d31a4878830ad9e37804fd7a7207236b57c5234f45e8
SHA5124d0a64cb9b612c0ecdce0a5186cff6bd71b4839a33e3c01df55a7acc186d95ffa977266f33feb9555e1e7a6bb2f2490822afb72be034aa96c83c8911b22e34c6
-
Filesize
6KB
MD5e9b11fca37b61594d377cccf04f633f1
SHA191e3c7b3892eff0bc8e18cec4f57ef199bf7377b
SHA25695aba9e3852016e27b8e81d9f9e9b79c17d03cc45c8d52e1c304c3fb5f541818
SHA512601d8a3d11166f9d38d61d017bfb08e126e106679c3d0a0d17feb07f044a084e58b149485ed4ac717e0297e678f4076037c6ccb4c1c9432639afc705b902ca36
-
Filesize
6KB
MD56c4f8a325e3ff15333966779af4df58b
SHA17b698add98f933e68ac322dd810b83cabf1e0fd6
SHA256e23663f3cc890c3adf4a0aba4f3968139c6752067ac1881cda18f0c7b0c52548
SHA512e6deca3d6061734f1c47b6ee5b4020110004eb0389f7d9207ec02b8da9f3c4b34cbfc48bb6a6a01449fa10cbb635f7a2768eb79b5a6c7976a14ce3b2e0e2040f
-
Filesize
8KB
MD5937aa817e5b0aa44722e8532eb47341e
SHA13b8f26bfb473840182c1b0232b7abc10f677b6eb
SHA256f275fdb429982388fcf9dbc61c22c18e5f6383d5f27656eb2a365a98fbf155ef
SHA512f4d43d75f136883034b37da43817292b3408ad4c6e4cd9afa0584928ac795d2e87a1cfeac38e247f111caba1787ce9512ef429f45e60280fc1220b5162140c04
-
Filesize
6KB
MD59971fa8fa89a208685d3e30835832fb5
SHA15d9972a3bdbd4c18b3648597d2fd9f9fd6e30300
SHA25613417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084
SHA51202b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f
-
Filesize
2KB
MD5a391224e2e7441a6c5df33a884e30f99
SHA15dff29a9c219c116eee551afb56c70a56c63ec2c
SHA256f9c96b8e3937a0c2d3a3f685c451cdc07de595bae4790d9283931c9b7325cc9d
SHA5123e7dda4f694b3429652afad3413fa9c3833a739016464842fe20f09f00442bdd411da04f2a2d59eb08e6f74c47a6bfc8c8e5ae43fd8f4a3b6d67a74648338291
-
Filesize
2KB
MD58873c0188992ce1efb9953ef03a93207
SHA146f3aa04203c4b1a29f8effa471f3b744f2bcc06
SHA25642ad2480935392a82484733c64be8d0f75b1ee1328e6f650833e5b55bf47c358
SHA512fb34317e84326edb170552355c8ec0b882d69cd0c82d160ed6190fdcbdb85b3150f742837e69e37be61ef12662f65a39e5121f4c5d6753ae09ff437ed8a27c97
-
Filesize
184KB
MD598dac3ffdf2b508197695ba9aacd3026
SHA15f227d8fdbfb5fd8b714d7e5aa1363f47ec9ce7c
SHA256b09ce5645649ab0fc929a71a435a53001eabf1398547466d65ddad3a9d89b13a
SHA5122457c708245b14313b4920d461390e6e4a71a9be2193a16469750e7776a287ff7d023420a0a10e3e32e12131b69a3e74e470757cecd13434de1172680929131c