2023-07-17_ìì_ëì_ë³ê³ìKISA-Security-Upgrade_íì¼ë_ììí_ììì½ë.pdf (2 MB)

Hauri analyzed malware disguised as a KISA-Security-Upgrade executable that unpacked embedded archives and dropped additional malicious files. The initial executable posed as a Korean security-upgrade file to induce user execution, wrote data under a temporary directory, and launched a dropped file through CreateProcessW with installer-style arguments. The next-stage component displayed a fake normal installer window while extracting a malicious archive and decompression utility to create and execute additional malware, illustrating the risk of unverified update packages.