Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 16, 2023, 3:35 p.m.	May 16, 2023, 3:37 p.m.

Size	17.4KB
Type	MS Windows HtmlHelp Data
MD5	`002fd493096214a9a44d82acb7f1ac30`
SHA256	`76b2f8df4578d65d5b6d57af8784584c1bcf86402d964b567db58e63723b636c`
CRC32	`74833781`
ssdeep	`192:+Re1GO+z6suwBzmLD8brbadAX94fRGMWDXoHLuLschUSG:+43+2mzm8br+drRG5DXdLschLG`
Yara	chm_file_format - chm file format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xELtTxhIUjX" "C:\Users\test22\AppData\Local\Temp\북한인권단체 활동의 어려움과 활성화 방안.chm"
3048
- hh.exe "C:\Windows\hh.exe" C:\Users\test22\AppData\Local\Temp\북한인권단체 활동의 어려움과 활성화 방안.chm
  1784

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 16, 2023, 3:28 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 16, 2023, 3:28 p.m.	stacktrace: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 @ 0x7fefe25a278 TF_IsCtfmonRunning+0x2f4 TF_RunInputCPL-0x1a19c msctf+0x4b394 @ 0x7fefe25b394 SetInputScope+0x4662 DllRegisterServer-0x10f5e msctf+0x2e1e2 @ 0x7fefe23e1e2 TF_GetInputScope+0x19f3 CtfImeDestroyThreadMgr-0x20a9 msctf+0x14bcb @ 0x7fefe224bcb TF_GetInputScope+0x2ae9 CtfImeDestroyThreadMgr-0xfb3 msctf+0x15cc1 @ 0x7fefe225cc1 TF_CanUninitialize+0x74 CtfNotifyIME-0x1318 msctf+0x21ea4 @ 0x7fefe231ea4 TF_CleanUpPrivateMessages+0xf48 DllGetClassObject-0x514 msctf+0x180d4 @ 0x7fefe2280d4 TF_CleanUpPrivateMessages+0xf26 DllGetClassObject-0x536 msctf+0x180b2 @ 0x7fefe2280b2 TF_CleanUpPrivateMessages+0xc7b DllGetClassObject-0x7e1 msctf+0x17e07 @ 0x7fefe227e07 TF_CleanUpPrivateMessages+0xbb8 DllGetClassObject-0x8a4 msctf+0x17d44 @ 0x7fefe227d44 RtlProcessFlsData+0x84 LdrUnlockLoaderLock-0x7c ntdll+0x2b894 @ 0x772bb894 LdrShutdownProcess+0xa9 NtdllDialogWndProc_W-0x43b ntdll+0x24249 @ 0x772b4249 RtlExitUserProcess+0x90 LdrShutdownProcess-0x20 ntdll+0x24180 @ 0x772b4180 strncpy_s+0x14a exit-0x92 msvcrt+0x9962 @ 0x7feff219962 hh+0x1bc1 @ 0xff7f1bc1 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: ff 50 18 89 9e f8 08 00 00 48 3b fb 74 28 48 39 exception.instruction: call qword ptr [rax + 0x18] exception.exception_code: 0xc0000005 exception.symbol: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 exception.address: 0x7fefe25a278 registers.r14: 0 registers.r15: 0 registers.rcx: 50642384 registers.rsi: 0 registers.r10: 1 registers.rbx: 0 registers.rsp: 1178432 registers.r11: 0 registers.r8: 1176976 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791641515336 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 16, 2023, 3:28 p.m.

stacktrace:

CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 @ 0x7fefe25a278
TF_IsCtfmonRunning+0x2f4 TF_RunInputCPL-0x1a19c msctf+0x4b394 @ 0x7fefe25b394
SetInputScope+0x4662 DllRegisterServer-0x10f5e msctf+0x2e1e2 @ 0x7fefe23e1e2
TF_GetInputScope+0x19f3 CtfImeDestroyThreadMgr-0x20a9 msctf+0x14bcb @ 0x7fefe224bcb
TF_GetInputScope+0x2ae9 CtfImeDestroyThreadMgr-0xfb3 msctf+0x15cc1 @ 0x7fefe225cc1
TF_CanUninitialize+0x74 CtfNotifyIME-0x1318 msctf+0x21ea4 @ 0x7fefe231ea4
TF_CleanUpPrivateMessages+0xf48 DllGetClassObject-0x514 msctf+0x180d4 @ 0x7fefe2280d4
TF_CleanUpPrivateMessages+0xf26 DllGetClassObject-0x536 msctf+0x180b2 @ 0x7fefe2280b2
TF_CleanUpPrivateMessages+0xc7b DllGetClassObject-0x7e1 msctf+0x17e07 @ 0x7fefe227e07
TF_CleanUpPrivateMessages+0xbb8 DllGetClassObject-0x8a4 msctf+0x17d44 @ 0x7fefe227d44
RtlProcessFlsData+0x84 LdrUnlockLoaderLock-0x7c ntdll+0x2b894 @ 0x772bb894
LdrShutdownProcess+0xa9 NtdllDialogWndProc_W-0x43b ntdll+0x24249 @ 0x772b4249
RtlExitUserProcess+0x90 LdrShutdownProcess-0x20 ntdll+0x24180 @ 0x772b4180
strncpy_s+0x14a exit-0x92 msvcrt+0x9962 @ 0x7feff219962
hh+0x1bc1 @ 0xff7f1bc1
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: ff 50 18 89 9e f8 08 00 00 48 3b fb 74 28 48 39
exception.instruction: call qword ptr [rax + 0x18]
exception.exception_code: 0xc0000005
exception.symbol: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278
exception.address: 0x7fefe25a278
registers.r14: 0
registers.r15: 0
registers.rcx: 50642384
registers.rsi: 0
registers.r10: 1
registers.rbx: 0
registers.rsp: 1178432
registers.r11: 0
registers.r8: 1176976
registers.r9: 0
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 8791641515336
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 16, 2023, 3:28 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

ALYac	Exploit.CHM-Downloader.Gen
Sangfor	Exploit.Generic-Script.Save.b67efc64
Symantec	Trojan.Malscript
ESET-NOD32	HTML/TrojanDropper.Agent.R
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Exploit.CHM-Downloader.Gen
MicroWorld-eScan	Exploit.CHM-Downloader.Gen
Emsisoft	Exploit.CHM-Downloader.Gen (B)
VIPRE	Exploit.CHM-Downloader.Gen
TrendMicro	HEUR_CHM.E
FireEye	Exploit.CHM-Downloader.Gen
GData	Exploit.CHM-Downloader.Gen
Arcabit	Exploit.CHM-Downloader.Gen
ZoneAlarm	HEUR:Trojan.Script.Generic
MAX	malware (ai score=88)
Rising	Trojan.MouseJack/HTML!1.BE26 (CLASSIC)
Fortinet	JS/Agent.00E5!tr

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 resumed a thread in remote process 1784
NtResumeThread May 16, 2023, 3:35 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 1784	1	0	0

북한인권단체 활동의 어려움과 활성화 방안.chm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All