Sample Analysis of Kimsuky's Attacks - xls
Contents
Sample Analysis of Kimsuky's Attacks - xls
Latest Research|December 9, 2024
Take "Job Description (LM HR Division II).pdf.scr" as an example for analysis. Sample information is as follows.
The sample was created on 20 September 2022, but was discovered in July 2024 delivery. The script is mainly run using macro startup, and after releasing the PE file, the execution branch is switched by setting parameters to achieve the final C&C remote control, and the whole flowchart is shown below:
When the XLS sample is opened, the Korean application form involving the registration fee will be displayed in the following form:
The sample is launched using a macro file in xls, decrypting the release file msload.exe to the specified folder, i.e. C:\Users{userName}\AppData\Roaming\Microsoft\Templates, and using the Wscript.Shell with the additional parameters QCvt5676hZXbg start this PE file.
After the process is run, it enters different branches by means of parameter checks, and each branch controls the next branch of …
Latest Research|December 9, 2024
Take "Job Description (LM HR Division II).pdf.scr" as an example for analysis. Sample information is as follows.
The sample was created on 20 September 2022, but was discovered in July 2024 delivery. The script is mainly run using macro startup, and after releasing the PE file, the execution branch is switched by setting parameters to achieve the final C&C remote control, and the whole flowchart is shown below:
When the XLS sample is opened, the Korean application form involving the registration fee will be displayed in the following form:
The sample is launched using a macro file in xls, decrypting the release file msload.exe to the specified folder, i.e. C:\Users{userName}\AppData\Roaming\Microsoft\Templates, and using the Wscript.Shell with the additional parameters QCvt5676hZXbg start this PE file.
After the process is run, it enters different branches by means of parameter checks, and each branch controls the next branch of …
IoC
46.44.251.52