SmartHawk

8.2

高危

55 个模型检测该样本为恶意！

重新分析

下载样本

6cc43dcf0639d2b657784294b64c28b81daa90b4385e027a81015cc81f664953

04aa2b4e2a24ea561b3d8c193c3fff2a.exe

分析耗时

87s

最近分析

文件大小

416.5KB

静态报毒动态报毒 9+3SMWUXDFI AI SCORE=89 AMRKF ATTRIBUTE CONFIDENCE ELDORADO FAREIT FORMBOOK GENERICKD HESV HIGH CONFIDENCE HIGHCONFIDENCE HQSGHJ INJECT3 KRYPTIK MALICIOUS PE MALWARE@#2CTZP2BL81EXI MALWAREX R002C0DH720 R347004 S + TROJ SCORE STATIC AI SUSGEN TSCOPE UNSAFE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20201210	21.1.5827.0
Alibaba	Trojan:MSIL/Formbook.8f3ee406	20190527	0.3.0.5
Tencent	Msil.Trojan.Hesv.Fig	20201211	1.0.0.1
Kingsoft		20201211	2017.9.26.565
McAfee	Fareit-FVT!04AA2B4E2A24	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619161426.779249 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (34 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134516.36611 IsDebuggerPresent		failed	0	0
1619134516.36611 IsDebuggerPresent		failed	0	0
1619134564.00611 IsDebuggerPresent		failed	0	0
1619134564.52211 IsDebuggerPresent		failed	0	0
1619134565.02211 IsDebuggerPresent		failed	0	0
1619134565.52211 IsDebuggerPresent		failed	0	0
1619134566.02211 IsDebuggerPresent		failed	0	0
1619134566.52211 IsDebuggerPresent		failed	0	0
1619134567.02211 IsDebuggerPresent		failed	0	0
1619134567.52211 IsDebuggerPresent		failed	0	0
1619134568.02211 IsDebuggerPresent		failed	0	0
1619134568.52211 IsDebuggerPresent		failed	0	0
1619134569.02211 IsDebuggerPresent		failed	0	0
1619134569.52211 IsDebuggerPresent		failed	0	0
1619134570.02211 IsDebuggerPresent		failed	0	0
1619134570.52211 IsDebuggerPresent		failed	0	0
1619134571.02211 IsDebuggerPresent		failed	0	0
1619134571.52211 IsDebuggerPresent		failed	0	0
1619134572.02211 IsDebuggerPresent		failed	0	0
1619134572.52211 IsDebuggerPresent		failed	0	0
1619134573.02211 IsDebuggerPresent		failed	0	0
1619134573.52211 IsDebuggerPresent		failed	0	0
1619134574.02211 IsDebuggerPresent		failed	0	0
1619134574.52211 IsDebuggerPresent		failed	0	0
1619134575.02211 IsDebuggerPresent		failed	0	0
1619134575.52211 IsDebuggerPresent		failed	0	0
1619134576.02211 IsDebuggerPresent		failed	0	0
1619134576.52211 IsDebuggerPresent		failed	0	0
1619134577.05311 IsDebuggerPresent		failed	0	0
1619134577.52211 IsDebuggerPresent		failed	0	0
1619134578.10011 IsDebuggerPresent		failed	0	0
1619134578.53811 IsDebuggerPresent		failed	0	0
1619134579.10011 IsDebuggerPresent		failed	0	0
1619134579.53811 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619161427.592249 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\gqeORECqcSon"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134516.38111 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 个事件)

Time & API	Arguments	Status	Return
1619134515.89711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00340000	success	0
1619134515.89711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success	0
1619134516.20911 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x008d0000	success	0
1619134516.20911 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00960000	success	0
1619134516.25611 NtProtectVirtualMemory	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619134516.36611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02110000	success	0
1619134516.36611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021f0000	success	0
1619134516.36611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0039a000	success	0
1619134516.36611 NtProtectVirtualMemory	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619134516.36611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00392000	success	0
1619134516.55311 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e2000	success	0
1619134516.61611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00475000	success	0
1619134516.61611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047b000	success	0
1619134516.61611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success	0
1619134516.69411 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e3000	success	0
1619134516.74111 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ec000	success	0
1619134516.78811 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00770000	success	0
1619134517.08411 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e4000	success	0
1619134517.10011 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e6000	success	0
1619134517.19411 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e7000	success	0
1619134517.19411 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e8000	success	0
1619134517.19411 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e9000	success	0
1619134517.24111 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success	0
1619134517.24111 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00467000	success	0
1619134517.35011 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00466000	success	0
1619134517.39711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00771000	success	0
1619134517.64711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ea000	success	0
1619134517.75611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00820000	success	0
1619134517.75611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00821000	success	0
1619134517.78811 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00774000	success	0
1619134518.02211 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00822000	success	0
1619134518.06911 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00775000	success	0
1619134518.08411 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00823000	success	0
1619134518.11611 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00776000	success	0
1619134518.13111 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00824000	success	0
1619134518.14711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00779000	success	0
1619134559.14711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ed000	success	0
1619134559.14711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077a000	success	0
1619134559.16311 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00961000	success	0
1619134559.22511 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077b000	success	0
1619134559.28811 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0039c000	success	0
1619134559.31911 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077c000	success	0
1619134559.39711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00825000	success	0
1619134559.41311 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077d000	success	0
1619134559.53811 NtProtectVirtualMemory	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 235008 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04390400	failed	3221225550
1619134563.39711 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077f000	success	0
1619134563.41311 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00826000	success	0
1619134563.42811 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02280000	success	0
1619134563.44411 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02281000	success	0
1619134563.53811 NtAllocateVirtualMemory	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02282000	success	0

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\gqeORECqcSon" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp36F4.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gqeORECqcSon" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp36F4.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134574.67811 ShellExecuteExW	parameters: /Create /TN "Updates\gqeORECqcSon" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp36F4.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.777685464219925

section

{'size_of_data': '0x00067800', 'virtual_address': '0x00002000', 'entropy': 7.777685464219925, 'name': '.text', 'virtual_size': '0x0006768c'}

description

A section with a high entropy has been found

entropy

0.9951923076923077

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134559.52211 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619134578.05311 NtTerminateProcess	status_code: 0xffffffff process_identifier: 376 process_handle: 0x00010f18	failed
1619134578.05311 NtTerminateProcess	status_code: 0xffffffff process_identifier: 376 process_handle: 0x00010f18	success
1619134578.60011 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1752 process_handle: 0x00010f1c	failed
1619134578.60011 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1752 process_handle: 0x00010f1c	success
1619134578.97511 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2412 process_handle: 0x00010f20	failed
1619134578.97511 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2412 process_handle: 0x00010f20	success
1619134579.33411 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2188 process_handle: 0x00010f24	failed
1619134579.33411 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2188 process_handle: 0x00010f24	success
1619134579.69411 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2228 process_handle: 0x00010f28	failed
1619134579.69411 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2228 process_handle: 0x00010f28	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\gqeORECqcSon" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp36F4.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gqeORECqcSon" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp36F4.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619134577.74111 NtAllocateVirtualMemory	process_identifier: 376 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f14 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134578.35011 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006d8c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134578.70911 NtAllocateVirtualMemory	process_identifier: 2412 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001a4c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134579.06911 NtAllocateVirtualMemory	process_identifier: 2188 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010128 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134579.42811 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007748 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp36F4.tmp

Manipulates memory of a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2764 manipulating memory of non-child process 376
Process injection	Process 2764 manipulating memory of non-child process 1752
Process injection	Process 2764 manipulating memory of non-child process 2412
Process injection	Process 2764 manipulating memory of non-child process 2188
Process injection	Process 2764 manipulating memory of non-child process 2228
1619134577.74111 NtAllocateVirtualMemory	process_identifier: 376 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f14 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619134578.35011 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006d8c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619134578.70911 NtAllocateVirtualMemory	process_identifier: 2412 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001a4c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619134579.06911 NtAllocateVirtualMemory	process_identifier: 2188 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010128 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619134579.42811 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007748 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619134516.36611 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2764	success	0
1619134516.38111 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2764	success	0
1619134516.39711 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2764	success	0
1619134563.99111 NtResumeThread	thread_handle: 0x00010e58 suspend_count: 1 process_identifier: 2764	success	0
1619134564.00611 NtResumeThread	thread_handle: 0x0000c2c8 suspend_count: 1 process_identifier: 2764	success	0
1619134574.67811 CreateProcessInternalW	thread_identifier: 2496 thread_handle: 0x00003464 process_identifier: 2444 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gqeORECqcSon" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp36F4.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00010f0c inherit_handles: 0	success	1
1619134577.74111 CreateProcessInternalW	thread_identifier: 2956 thread_handle: 0x00010ee8 process_identifier: 376 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00010f14 inherit_handles: 0	success	1
1619134577.74111 NtGetContextThread	thread_handle: 0x00010ee8	success	0
1619134577.74111 NtAllocateVirtualMemory	process_identifier: 376 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f14 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134578.35011 CreateProcessInternalW	thread_identifier: 1688 thread_handle: 0x00010f18 process_identifier: 1752 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00006d8c inherit_handles: 0	success	1
1619134578.35011 NtGetContextThread	thread_handle: 0x00010f18	success	0
1619134578.35011 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006d8c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134578.70911 CreateProcessInternalW	thread_identifier: 2060 thread_handle: 0x00010f1c process_identifier: 2412 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00001a4c inherit_handles: 0	success	1
1619134578.70911 NtGetContextThread	thread_handle: 0x00010f1c	success	0
1619134578.70911 NtAllocateVirtualMemory	process_identifier: 2412 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001a4c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134579.06911 CreateProcessInternalW	thread_identifier: 2012 thread_handle: 0x00010f20 process_identifier: 2188 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00010128 inherit_handles: 0	success	1
1619134579.06911 NtGetContextThread	thread_handle: 0x00010f20	success	0
1619134579.06911 NtAllocateVirtualMemory	process_identifier: 2188 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010128 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134579.42811 CreateProcessInternalW	thread_identifier: 1824 thread_handle: 0x00010f24 process_identifier: 2228 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04aa2b4e2a24ea561b3d8c193c3fff2a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00007748 inherit_handles: 0	success	1
1619134579.42811 NtGetContextThread	thread_handle: 0x00010f24	success	0
1619134579.42811 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007748 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34299984
FireEye	Generic.mg.04aa2b4e2a24ea56
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Trojan.GenericKD.34299984
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.GenericKD.34299984
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.bf6c6e
Arcabit	Trojan.Generic.D20B6050
Cyren	W32/MSIL_Kryptik.BIQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Hesv.gen
Alibaba	Trojan:MSIL/Formbook.8f3ee406
NANO-Antivirus	Trojan.Win32.Hesv.hqsghj
AegisLab	Trojan.MSIL.Hesv.4!c
Tencent	Msil.Trojan.Hesv.Fig
Ad-Aware	Trojan.GenericKD.34299984
Emsisoft	Trojan.GenericKD.34299984 (B)
Comodo	Malware@#2ctzp2bl81exi
F-Secure	Trojan.TR/Kryptik.amrkf
DrWeb	Trojan.Inject3.48446
Zillya	Trojan.Kryptik.Win32.2352479
TrendMicro	TROJ_GEN.R002C0DH720
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	Mal/Generic-S + Troj/MSIL-PRA
Ikarus	Trojan.Crypt
Avira	TR/Kryptik.amrkf
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.Generic
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Trojan:MSIL/Formbook.VN!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Hesv.gen
GData	Trojan.GenericKD.34299984
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Kryptik.R347004
McAfee	Fareit-FVT!04AA2B4E2A24
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
Panda	Trj/CI.A
ESET-NOD32	a variant of MSIL/Kryptik.XGB
TrendMicro-HouseCall	TROJ_GEN.R002C0DH720
Yandex	Trojan.Kryptik!9+3SMWuxdFI
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-06 06:07:08

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.