Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 20:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
下载说明.htm
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
下载说明.htm
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
机关公文助手v3.4完美注册机.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
机关公文助手v3.4完美注册机.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral5
Sample
飘down精品软件.url
Resource
win7-20240419-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
飘down精品软件.url
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
机关公文助手v3.4完美注册机.exe
-
Size
193KB
-
MD5
61327c652054726dc1999ee8d7800697
-
SHA1
31c83757b8f04f50bab210e829614f3c77a07390
-
SHA256
a230a034cab8eadbf5d8d98e2d95e016355a823ebb0603a419f2bcae14681217
-
SHA512
c27d94f4898685b6e09b0bdea9e334f983c87614b2b1392e2d24c257342a01bf440adb0925c362c61838f52223ffbd4fadda8612ef8e0d1732399a98cebd20f9
-
SSDEEP
3072:UJs8W2eob2TA1OkxDBlF6qYoD1RAf3f61iF/sr3n9fXBvJC4CRtD59pvR92LF/Q:fFoSkRBlwqh1RfPpBsXsS
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 3316 regsvr32.exe 940 机关公文助手v3.4完美注册机.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\actskn43.ocx 机关公文助手v3.4完美注册机.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\media.skn 机关公文助手v3.4完美注册机.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\verb\3 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{795514CB-A81C-48f6-87AB-5B22D433D5D8}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B195FE25-16D9-4d1b-AD10-0701F9A5E277}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC2EC911-E047-4810-9535-6CAFE1ADC3AD}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskn43.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00F442C2-5C9E-4ae5-AF7D-FB4E0350C2E3}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74848F95-A02A-4286-AF0C-A3C755E4A5B3}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3F3C14C-FED2-45B8-9EE2-036460E8B171} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3F3C14C-FED2-45B8-9EE2-036460E8B171}\TypeLib\ = "{74848F95-A02A-4286-AF0C-A3C755E4A5B3}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin2\CurVer\ = "ActiveSkin4.Skin.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{795514CB-A81C-48f6-87AB-5B22D433D5D8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28DD8A6-E9BC-4d3e-A7F7-BC9644138CE2}\TypeLib\ = "{74848F95-A02A-4286-AF0C-A3C755E4A5B3}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B195FE25-16D9-4d1b-AD10-0701F9A5E277}\ = "SkinScrollBar Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13AFA3A3-5687-487c-93F2-63D5DA468F4E}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28DD8A6-E9BC-4D3E-A7F7-BC9644138CE2}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13AFA3A3-5687-487c-93F2-63D5DA468F4E}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B195FE25-16D9-4d1b-AD10-0701F9A5E277} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00F442C2-5C9E-4AE5-AF7D-FB4E0350C2E3}\Implemented Categories\{55E89939-3D2B-4954-80EA-2703A8EA1A10} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF19F6B2-10D9-46B1-9050-2E8E2C4B2DDD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00F442C2-5C9E-4ae5-AF7D-FB4E0350C2E3}\ = "SkinPlasma Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel2.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\TypeLib\ = "{74848F95-A02A-4286-AF0C-A3C755E4A5B3}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{55E89939-3D2B-4954-80EA-2703A8EA1A10} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\verb\3\ = "&Edit Skin,0,2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EDBA2AAC-8A00-4eed-A2E4-74BFB760BE10}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B195FE25-16D9-4d1b-AD10-0701F9A5E277}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC2EC911-E047-4810-9535-6CAFE1ADC3AD}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\actskn43.ocx, 119" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3F3C14C-FED2-45B8-9EE2-036460E8B171}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00F442C2-5C9E-4ae5-AF7D-FB4E0350C2E3}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\verb\5 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF19F6B2-10D9-46B1-9050-2E8E2C4B2DDD}\TypeLib\ = "{74848F95-A02A-4286-AF0C-A3C755E4A5B3}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3F3C14C-FED2-45B8-9EE2-036460E8B171}\ = "ISkinLabel" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AAECB3B-3D56-47c7-8706-77899E73802A}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF19F6B2-10D9-46B1-9050-2E8E2C4B2DDD}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62289CBE-3BE2-4ba9-AC20-A911C900039A}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskn43.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13AFA3A3-5687-487C-93F2-63D5DA468F4E}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28DD8A6-E9BC-4d3e-A7F7-BC9644138CE2}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskn43.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28DD8A6-E9BC-4D3E-A7F7-BC9644138CE2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B195FE25-16D9-4D1B-AD10-0701F9A5E277}\Implemented Categories\{55E89939-3D2B-4954-80EA-2703A8EA1A10} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AAECB3B-3D56-47c7-8706-77899E73802A}\TypeLib\ = "{74848F95-A02A-4286-AF0C-A3C755E4A5B3}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel2.1\CLSID\ = "{D1698320-77BD-4776-96FD-C3C8D71E57E2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62289CBE-3BE2-4BA9-AC20-A911C900039A}\Implemented Categories\{55E89939-3D2B-4954-80EA-2703A8EA1A10} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3F3C14C-FED2-45B8-9EE2-036460E8B171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3F3C14C-FED2-45B8-9EE2-036460E8B171}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin2\CLSID\ = "{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskn43.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62289CBE-3BE2-4ba9-AC20-A911C900039A}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66A21AEA-5A05-46b5-B7CD-C1AAAF4770CD}\ = "SkinForm Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AAECB3B-3D56-47C7-8706-77899E73802A}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\VersionIndependentProgID\ = "ActiveSkin4.Skin2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66A21AEA-5A05-46B5-B7CD-C1AAAF4770CD} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28DD8A6-E9BC-4d3e-A7F7-BC9644138CE2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32239586-29DE-4268-8AF3-CE7658D3D672}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66A21AEA-5A05-46b5-B7CD-C1AAAF4770CD}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskn43.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel2\CLSID regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 940 机关公文助手v3.4完美注册机.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 940 wrote to memory of 3316 940 机关公文助手v3.4完美注册机.exe 82 PID 940 wrote to memory of 3316 940 机关公文助手v3.4完美注册机.exe 82 PID 940 wrote to memory of 3316 940 机关公文助手v3.4完美注册机.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\机关公文助手v3.4完美注册机.exe"C:\Users\Admin\AppData\Local\Temp\机关公文助手v3.4完美注册机.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 C:\Windows\system32\actskn43.ocx /s2⤵
- Loads dropped DLL
- Modifies registry class
PID:3316
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5c99684cca51ef72825710adb3492acde
SHA181531c715a4afbb025a9e9bf777c24d139eccb49
SHA256d5969cf99c45e1897ffe18fd94e43fa15616fab478de667175d422336e0a838a
SHA5129bfe372880eb1896d65315067fbd28d761f297ffdecad4fab86ffc9966a4ab859b78caf3d70ad9b021e7f06803cba59249d1a6d7721a20e1e82087afddc948b2