Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24/08/2023, 12:01
Static task
static1
Behavioral task
behavioral1
Sample
文本处理.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
文本处理.exe
Resource
win10v2004-20230703-en
General
-
Target
文本处理.exe
-
Size
2.0MB
-
MD5
c22573132c63123b793c7d1b0369f5e3
-
SHA1
3e21973cf009d725e34c6f28e3eb4055e3b63e64
-
SHA256
a3df189c707b49faf8ba2ed927391ea18b257def984268c2ddd19b5e69e53a6f
-
SHA512
579def784aac21f5b9de30fe909f2d5162a62bc492cba730871d807efa794bf8ff4390a0fbbca46e7a44476652b4c3b69582f27f837b5c35f9d28c947c2ed6be
-
SSDEEP
49152:ehokE9wj0qRshjPsleryGZWaeRhSs6wYZjaBPoVgcmp:gnE9q7KPsm5gSs6puBIgcq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2344 winmm2.dll -
Loads dropped DLL 2 IoCs
pid Process 3020 文本处理.exe 3020 文本处理.exe -
resource yara_rule behavioral1/files/0x000f000000012029-3.dat upx behavioral1/files/0x000f000000012029-9.dat upx behavioral1/files/0x000f000000012029-7.dat upx behavioral1/files/0x000f000000012029-5.dat upx behavioral1/memory/3020-10-0x0000000002370000-0x0000000002661000-memory.dmp upx behavioral1/memory/2344-11-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-14-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-15-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-16-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-18-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-19-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-20-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-21-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-22-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-23-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-24-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-25-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-26-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-27-0x0000000000400000-0x00000000006F1000-memory.dmp upx behavioral1/memory/2344-28-0x0000000000400000-0x00000000006F1000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe 3020 文本处理.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3020 文本处理.exe 3020 文本处理.exe 2344 winmm2.dll 2344 winmm2.dll -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2344 3020 文本处理.exe 28 PID 3020 wrote to memory of 2344 3020 文本处理.exe 28 PID 3020 wrote to memory of 2344 3020 文本处理.exe 28 PID 3020 wrote to memory of 2344 3020 文本处理.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\文本处理.exe"C:\Users\Admin\AppData\Local\Temp\文本处理.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\winmm2.dllC:\Users\Admin\AppData\Local\Temp\winmm2.dll2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD553b98017d53884326feb87a2555817ce
SHA1baee94da47e3561a8a74a562af9687d3e715c0ff
SHA25629853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400
SHA512112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9
-
Filesize
1.3MB
MD553b98017d53884326feb87a2555817ce
SHA1baee94da47e3561a8a74a562af9687d3e715c0ff
SHA25629853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400
SHA512112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9
-
Filesize
1.3MB
MD553b98017d53884326feb87a2555817ce
SHA1baee94da47e3561a8a74a562af9687d3e715c0ff
SHA25629853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400
SHA512112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9
-
Filesize
1.3MB
MD553b98017d53884326feb87a2555817ce
SHA1baee94da47e3561a8a74a562af9687d3e715c0ff
SHA25629853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400
SHA512112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9