Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.21 02:09
l6E.exe
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...

Latest News
09.21 02:09
Google Faces EU Ultima...
09.21 02:09
This New Video Game Is...
09.21 02:09
FTC finds social media...
09.21 02:09
FTC finds social media...
09.21 01:09
Automate detection and...
09.21 01:09
Hackaday Podcast Episo...
09.21 01:09
The Russian Bot Army T...
09.21 01:09
Australia’s Labor Part...
09.21 12:09
Inviting the Public to...
09.21 12:09
How Ransomhub Ransomwa...

Summary | ZeroBOX

E9DF1F28CFBC831B89A404816A0242EAD5BB142C.hwp

PS PostScript Lnk Format GIF Format MSOffice File HWP

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 25, 2024, 1:53 p.m.	Jan. 25, 2024, 1:55 p.m.

Size	75.0KB
Type	Hangul (Korean) Word Processor File 5.x
MD5	`e5a10df3734802a63d6f10a63ff0054c`
SHA256	`8510b40c23826fb3ee9cbc0a7b58b5176338020e6524bf9938f1efaadcbf973c`
CRC32	`3761BB36`
ssdeep	`1536:MmmxF9l4IgrVY9dHux2OHiBjavjIEfpTdg:MZD9pCuGTHiVabIGp`
Yara	Microsoft_Office_File_Zero - Microsoft Office File HWP_file_format - HWP Document File Win32_HWP_PostScript_Zero - Detect a HWP with embedded Post Script code

Hwp.exe "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" C:\Users\test22\AppData\Local\Temp\E9DF1F28CFBC831B89A404816A0242EAD5BB142C.hwp
2556
- HimTrayIcon.exe "C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe"
  2676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 25, 2024, 1:53 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 25, 2024, 1:53 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\E9DF1F28CFBC831B89A404816A0242EAD5BB142C.hwp.lnk
file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\E9DF1F28CFBC831B89A404816A0242EAD5BB142C.hwp.lnk
file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Skyhigh	Artemis
ALYac	Trojan.Downloader.HWP.Agent
Symantec	Trojan.Mdropper
ESET-NOD32	HWP/TrojanDownloader.Agent.N
TrendMicro-HouseCall	Trojan.W97M.FRS.VSNW09A24
Avast	Other:Malware-gen [Trj]
TrendMicro	Trojan.W97M.FRS.VSNW09A24
ViRobot	HWP.S.Downloader.76800
AhnLab-V3	Downloader/HWP.Agent
AVG	Other:Malware-gen [Trj]