10.4
0-day
46 个模型检测该样本为恶意!
重新分析
更多

b3eea3acbb129b3be2fe22a3c4b4cff9663939b9783f41a9931aecdfb318dd7c

04fd754dc6e9faa9a551f872ab9a8a89.exe

分析耗时

94s

最近分析

文件大小

782.5KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=81 ALI1000139 ANDROM ATTRIBUTE CONFIDENCE ELDORADO FAREIT GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HRMGLK KRYPTIK MALICIOUS PE MALWARE@#P5KA5ZSMO22X QBWNN R002C0WHB20 R347365 SCORE STARTER SUSGEN TROJANX WM0@AS5VWBN YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Alibaba Trojan:Win32/starter.ali1000139 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201023 18.4.3895.0
Kingsoft 20201023 2013.8.14.323
McAfee Fareit-FYE!04FD754DC6E9 20201023 6.0.6.653
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619141835.251
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619141855.84475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619141779.656374
IsDebuggerPresent
failed 0 0
1619141841.09475
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619141835.954
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\BdqAPPjEhz"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619141833.609374
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 77 个事件)
Time & API Arguments Status Return Repeated
1619141778.813374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00650000
success 0 0
1619141778.813374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1619141779.547374
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619141779.672374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0060a000
success 0 0
1619141779.672374
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619141779.672374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00602000
success 0 0
1619141779.906374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00612000
success 0 0
1619141780.047374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00613000
success 0 0
1619141780.047374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0065b000
success 0 0
1619141780.047374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00657000
success 0 0
1619141780.359374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0061c000
success 0 0
1619141780.578374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00614000
success 0 0
1619141780.609374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00615000
success 0 0
1619141780.625374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f70000
success 0 0
1619141780.672374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00616000
success 0 0
1619141780.781374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0063a000
success 0 0
1619141780.781374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062a000
success 0 0
1619141780.781374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00627000
success 0 0
1619141780.844374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f71000
success 0 0
1619141780.859374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00632000
success 0 0
1619141780.922374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00655000
success 0 0
1619141780.922374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0060b000
success 0 0
1619141781.063374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0063c000
success 0 0
1619141781.094374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00626000
success 0 0
1619141781.141374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00617000
success 0 0
1619141781.203374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f72000
success 0 0
1619141833.141374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f73000
success 0 0
1619141833.328374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00711000
success 0 0
1619141833.484374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f78000
success 0 0
1619141833.531374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00618000
success 0 0
1619141833.531374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00619000
success 0 0
1619141833.547374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048a0000
success 0 0
1619141833.547374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f79000
success 0 0
1619141833.563374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f7a000
success 0 0
1619141833.594374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ca0000
success 0 0
1619141833.594374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ca1000
success 0 0
1619141833.625374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ca6000
success 0 0
1619141833.672374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0061a000
success 0 0
1619141833.688374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ca7000
success 0 0
1619141833.750374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048a1000
success 0 0
1619141833.938374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048c0000
success 0 0
1619141834.047374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ca8000
success 0 0
1619141834.063374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00603000
success 0 0
1619141837.984374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ca9000
success 0 0
1619141838.297374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048c1000
success 0 0
1619141838.328374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0061b000
success 0 0
1619141840.094374
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04caa000
success 0 0
1619141840.81375
NtAllocateVirtualMemory
process_identifier: 2428
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00870000
success 0 0
1619141840.81375
NtAllocateVirtualMemory
process_identifier: 2428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009a0000
success 0 0
1619141841.03175
NtProtectVirtualMemory
process_identifier: 2428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\BdqAPPjEhz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2EA7.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BdqAPPjEhz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2EA7.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619141834.891374
ShellExecuteExW
parameters: /Create /TN "Updates\BdqAPPjEhz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2EA7.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.725091554906253 section {'size_of_data': '0x0009a600', 'virtual_address': '0x00002000', 'entropy': 7.725091554906253, 'name': '.text', 'virtual_size': '0x0009a414'} description A section with a high entropy has been found
entropy 0.7896419437340153 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619141838.281374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619141853.25075
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (8 个事件)
Time & API Arguments Status Return Repeated
1619141838.594374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2188
process_handle: 0x00000384
failed 0 0
1619141838.594374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2188
process_handle: 0x00000384
success 0 0
1619141839.250374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2256
process_handle: 0x0000038c
failed 0 0
1619141839.250374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2256
process_handle: 0x0000038c
success 0 0
1619141839.813374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1244
process_handle: 0x00000394
failed 0 0
1619141839.813374
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1244
process_handle: 0x00000394
success 0 0
1619141853.87575
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1176
process_handle: 0x0000021c
failed 0 0
1619141853.87575
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1176
process_handle: 0x0000021c
failed 3221225738 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\BdqAPPjEhz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2EA7.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BdqAPPjEhz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2EA7.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (4 个事件)
Time & API Arguments Status Return Repeated
1619141838.219374
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000037c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141838.703374
NtAllocateVirtualMemory
process_identifier: 2256
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000380
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141839.328374
NtAllocateVirtualMemory
process_identifier: 1244
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141840.047374
NtAllocateVirtualMemory
process_identifier: 2428
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000390
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Manipulates memory of a non-child process indicative of process injection (6 个事件)
Process injection Process 1176 manipulating memory of non-child process 2188
Process injection Process 1176 manipulating memory of non-child process 2256
Process injection Process 1176 manipulating memory of non-child process 1244
Time & API Arguments Status Return Repeated
1619141838.219374
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000037c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141838.703374
NtAllocateVirtualMemory
process_identifier: 2256
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000380
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141839.328374
NtAllocateVirtualMemory
process_identifier: 1244
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619141840.047374
WriteProcessMemory
process_identifier: 2428
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL.ß0_à "NA `@  @…AK`ø€  H.textT! " `.rsrcø`$@@.reloc €(@B
process_handle: 0x00000390
base_address: 0x00400000
success 1 0
1619141840.078374
WriteProcessMemory
process_identifier: 2428
buffer: €0€HX`œœ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d"InternalNameUymXQJkCWHOUNSLRtUFByNReSTSrm.exe(LegalCopyright l"OriginalFilenameUymXQJkCWHOUNSLRtUFByNReSTSrm.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000390
base_address: 0x00456000
success 1 0
1619141840.094374
WriteProcessMemory
process_identifier: 2428
buffer: @ P1
process_handle: 0x00000390
base_address: 0x00458000
success 1 0
1619141840.094374
WriteProcessMemory
process_identifier: 2428
buffer: @
process_handle: 0x00000390
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619141840.047374
WriteProcessMemory
process_identifier: 2428
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL.ß0_à "NA `@  @…AK`ø€  H.textT! " `.rsrcø`$@@.reloc €(@B
process_handle: 0x00000390
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1176 called NtSetContextThread to modify thread in remote process 2428
Time & API Arguments Status Return Repeated
1619141840.094374
NtSetContextThread
thread_handle: 0x00000394
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4538702
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2428
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1176 resumed a thread in remote process 2428
Time & API Arguments Status Return Repeated
1619141840.578374
NtResumeThread
thread_handle: 0x00000394
suspend_count: 1
process_identifier: 2428
success 0 0
Executed a process and injected code into it, probably while unpacking (26 个事件)
Time & API Arguments Status Return Repeated
1619141779.656374
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1176
success 0 0
1619141779.719374
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 1176
success 0 0
1619141833.984374
NtResumeThread
thread_handle: 0x00000254
suspend_count: 1
process_identifier: 1176
success 0 0
1619141834.891374
CreateProcessInternalW
thread_identifier: 2064
thread_handle: 0x00000334
process_identifier: 2796
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BdqAPPjEhz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2EA7.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000036c
inherit_handles: 0
success 1 0
1619141838.219374
CreateProcessInternalW
thread_identifier: 1868
thread_handle: 0x00000328
process_identifier: 2188
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x0000037c
inherit_handles: 0
success 1 0
1619141838.219374
NtGetContextThread
thread_handle: 0x00000328
success 0 0
1619141838.219374
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000037c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141838.703374
CreateProcessInternalW
thread_identifier: 2740
thread_handle: 0x00000384
process_identifier: 2256
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000380
inherit_handles: 0
success 1 0
1619141838.703374
NtGetContextThread
thread_handle: 0x00000384
success 0 0
1619141838.703374
NtAllocateVirtualMemory
process_identifier: 2256
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000380
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141839.328374
CreateProcessInternalW
thread_identifier: 2184
thread_handle: 0x0000038c
process_identifier: 1244
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000388
inherit_handles: 0
success 1 0
1619141839.328374
NtGetContextThread
thread_handle: 0x0000038c
success 0 0
1619141839.328374
NtAllocateVirtualMemory
process_identifier: 1244
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619141840.047374
CreateProcessInternalW
thread_identifier: 284
thread_handle: 0x00000394
process_identifier: 2428
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\04fd754dc6e9faa9a551f872ab9a8a89.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000390
inherit_handles: 0
success 1 0
1619141840.047374
NtGetContextThread
thread_handle: 0x00000394
success 0 0
1619141840.047374
NtAllocateVirtualMemory
process_identifier: 2428
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000390
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619141840.047374
WriteProcessMemory
process_identifier: 2428
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL.ß0_à "NA `@  @…AK`ø€  H.textT! " `.rsrcø`$@@.reloc €(@B
process_handle: 0x00000390
base_address: 0x00400000
success 1 0
1619141840.063374
WriteProcessMemory
process_identifier: 2428
buffer:
process_handle: 0x00000390
base_address: 0x00402000
success 1 0
1619141840.078374
WriteProcessMemory
process_identifier: 2428
buffer: €0€HX`œœ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d"InternalNameUymXQJkCWHOUNSLRtUFByNReSTSrm.exe(LegalCopyright l"OriginalFilenameUymXQJkCWHOUNSLRtUFByNReSTSrm.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000390
base_address: 0x00456000
success 1 0
1619141840.094374
WriteProcessMemory
process_identifier: 2428
buffer: @ P1
process_handle: 0x00000390
base_address: 0x00458000
success 1 0
1619141840.094374
WriteProcessMemory
process_identifier: 2428
buffer: @
process_handle: 0x00000390
base_address: 0x7efde008
success 1 0
1619141840.094374
NtSetContextThread
thread_handle: 0x00000394
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4538702
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2428
success 0 0
1619141840.578374
NtResumeThread
thread_handle: 0x00000394
suspend_count: 1
process_identifier: 2428
success 0 0
1619141840.578374
NtResumeThread
thread_handle: 0x000003a8
suspend_count: 1
process_identifier: 1176
success 0 0
1619141841.09475
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2428
success 0 0
1619141841.15675
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2428
success 0 0
File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34333265
FireEye Generic.mg.04fd754dc6e9faa9
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKD.34333265
CrowdStrike win/malicious_confidence_90% (W)
Alibaba Trojan:Win32/starter.ali1000139
K7GW Trojan ( 0056c3841 )
K7AntiVirus Trojan ( 0056c3841 )
Arcabit Trojan.Generic.D20BE251
TrendMicro TROJ_GEN.R002C0WHB20
Cyren W32/MSIL_Kryptik.BJN.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Avast Win32:TrojanX-gen [Trj]
Kaspersky HEUR:Backdoor.MSIL.Androm.gen
BitDefender Trojan.GenericKD.34333265
NANO-Antivirus Trojan.Win32.Androm.hrmglk
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.34333265
Emsisoft Trojan.GenericKD.34333265 (B)
Comodo Malware@#p5ka5zsmo22x
F-Secure Trojan.TR/Kryptik.qbwnn
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition Fareit-FYE!04FD754DC6E9
MaxSecure Trojan.Malware.73691364.susgen
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Crypt
Avira TR/Kryptik.qbwnn
Antiy-AVL Trojan/MSIL.Kryptik
Microsoft Trojan:MSIL/AgentTesla.VN!MTB
ZoneAlarm HEUR:Backdoor.MSIL.Androm.gen
GData Trojan.GenericKD.34333265
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MSIL.R347365
McAfee Fareit-FYE!04FD754DC6E9
MAX malware (ai score=81)
Malwarebytes Trojan.MalPack.PNG.Generic
ESET-NOD32 a variant of MSIL/Kryptik.XHL
TrendMicro-HouseCall TROJ_GEN.R002C0WHB20
SentinelOne DFI - Malicious PE
Fortinet MSIL/Kryptik.XHL!tr
BitDefenderTheta Gen:NN.ZemsilF.34570.Wm0@aS5Vwbn
AVG Win32:TrojanX-gen [Trj]
Cybereason malicious.afd447
Panda Trj/GdSda.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-10 18:12:21

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.