exe malware including hwp, disguised as a Vietnamese event estimate
2019-12-03 • kino •
The analysis examines a Windows executable disguised as a Korean HWP quotation document for a Vietnam Nokjiwon and Sangchunjae event. When run, the dropper writes a decoy HWP file and a DLL named NewAct.dat, then invokes the DLL through regsvr32.exe and its DllInstall export. The DLL removes local WSF files, runs a checkdrive export, checks whether the system is 64-bit, and either attempts to download an additional lyric64 payload or injects itself into explorer.exe. The injected code creates a mutex, starts malicious activity threads, communicates with antichrist.or.kr/data/cheditor/dir1/f.php, and uses a rotating XOR routine to decrypt downloaded files.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 35d60d2723c649c97b414b3cb701df1c | 2019-12-03 | 2024-08-14 |
| HASH | 03c35e4c6a641373db665e7d58cea42… | 2019-12-03 | 2024-08-14 |
| HASH | 1050935f6acee3afda3876478718632… | 2019-12-03 | 2024-08-14 |
| HASH | 6dfce07abc39e5d6aebd74a1850ad65… | 2019-12-03 | 2024-08-14 |
| HASH | e54b370d96ca0e2ecc083c2d42f05210 | 2019-12-03 | 2024-08-14 |
| HASH | 9944ce9354fb8961826339770ffc118… | 2019-12-03 | 2024-08-14 |
| DOMAIN | antichrist.or.kr | 2019-12-03 | 2024-08-14 |
| HASH | 6fb5916d8c10589d23fbc7417c5f924… | 2019-12-03 | 2019-12-03 |
| HASH | 4db3f34d439e3d7a04df74e109012da… | 2019-12-03 | 2019-12-03 |
| HASH | 328ba7f982d3d775b7c51756daf14496 | 2019-12-03 | 2019-12-03 |
| URL | http://antichrist.or.kr/data/ch… | 2019-12-03 | 2019-12-03 |