a3df189c707b49faf8ba2ed927391ea18b257def984268c2ddd19b5e69e53a6f

Analysis

max time kernel
155s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/08/2023, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

文本处理.exe
Size

2.0MB
MD5

c22573132c63123b793c7d1b0369f5e3
SHA1

3e21973cf009d725e34c6f28e3eb4055e3b63e64
SHA256

a3df189c707b49faf8ba2ed927391ea18b257def984268c2ddd19b5e69e53a6f
SHA512

579def784aac21f5b9de30fe909f2d5162a62bc492cba730871d807efa794bf8ff4390a0fbbca46e7a44476652b4c3b69582f27f837b5c35f9d28c947c2ed6be
SSDEEP

49152:ehokE9wj0qRshjPsleryGZWaeRhSs6wYZjaBPoVgcmp:gnE9q7KPsm5gSs6puBIgcq

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	winmm2.dll

Loads dropped DLL 2 IoCs

pid	Process
3020	文本处理.exe
3020	文本处理.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f000000012029-3.dat	upx
behavioral1/files/0x000f000000012029-9.dat	upx
behavioral1/files/0x000f000000012029-7.dat	upx
behavioral1/files/0x000f000000012029-5.dat	upx
behavioral1/memory/3020-10-0x0000000002370000-0x0000000002661000-memory.dmp	upx
behavioral1/memory/2344-11-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-14-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-15-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-16-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-18-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-19-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-20-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-21-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-22-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-23-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-24-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-25-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-26-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-27-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2344-28-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe
3020	文本处理.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3020	文本处理.exe
3020	文本处理.exe
2344	winmm2.dll
2344	winmm2.dll

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2344	3020	文本处理.exe	28
PID 3020 wrote to memory of 2344	3020	文本处理.exe	28
PID 3020 wrote to memory of 2344	3020	文本处理.exe	28
PID 3020 wrote to memory of 2344	3020	文本处理.exe	28

C:\Users\Admin\AppData\Local\Temp\文本处理.exe
"C:\Users\Admin\AppData\Local\Temp\文本处理.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\winmm2.dll
  C:\Users\Admin\AppData\Local\Temp\winmm2.dll
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winmm2.dll

Filesize
1.3MB

MD5
53b98017d53884326feb87a2555817ce

SHA1
baee94da47e3561a8a74a562af9687d3e715c0ff

SHA256
29853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400

SHA512
112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\winmm2.dll

Filesize
1.3MB

MD5
53b98017d53884326feb87a2555817ce

SHA1
baee94da47e3561a8a74a562af9687d3e715c0ff

SHA256
29853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400

SHA512
112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9

Download Submit
\Users\Admin\AppData\Local\Temp\winmm2.dll

Filesize
1.3MB

MD5
53b98017d53884326feb87a2555817ce

SHA1
baee94da47e3561a8a74a562af9687d3e715c0ff

SHA256
29853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400

SHA512
112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9

Download Submit
\Users\Admin\AppData\Local\Temp\winmm2.dll

Filesize
1.3MB

MD5
53b98017d53884326feb87a2555817ce

SHA1
baee94da47e3561a8a74a562af9687d3e715c0ff

SHA256
29853c0fcf9b90fb87abdee0dc259374050a26ea0b765367c969e46174b01400

SHA512
112c293adb3e6b4cb6304b34f0a29dd4044daa45e7e174befc960dda5dc6d4e0ebe7b1ca4a57bfabc7441b62547510b809f4a7f183faba0c37983e8d9da257f9

Download Submit
memory/2344-21-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-19-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-11-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-28-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-27-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-14-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-15-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-16-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-18-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-26-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-20-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-25-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-22-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-23-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2344-24-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/3020-0-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/3020-10-0x0000000002370000-0x0000000002661000-memory.dmp

Filesize
2.9MB

Download
memory/3020-13-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/3020-12-0x0000000002370000-0x0000000002661000-memory.dmp

Filesize
2.9MB

Download