SmartHawk

12.4

0-day

50 个模型检测该样本为恶意！

重新分析

下载样本

1a7467227432cdaa29acb2a56b84d514cfb9ea33055a3070ecb861eb51101e69

0786f625f3196609ae56906c590fa353.exe

分析耗时

73s

最近分析

文件大小

325.0KB

静态报毒动态报毒 100% AGENSLA AGENTTESLA AI SCORE=85 BTDF5J CONFIDENCE ELBN ELDORADO GDSDA GENERICKD GENERICRXKI GENKRYPTIK HIGH CONFIDENCE IGENT INJECTNET KRYPTIK MALICIOUS PE MALWARE@#3PQX2S839JTL9 PWSX R002C0DLB20 REMCOS S + TROJ SCORE SONBOKLI STATIC AI SUSGEN SVTPZ TROJANPSW TROJANPWS TSCOPE UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKI-TW!0786F625F319	20201228	6.0.6.653
Avast	Win32:PWSX-gen [Trj]	20201228	21.1.5827.0
Alibaba	TrojanPSW:MSIL/AgentTesla.1b7804b6	20190527	0.3.0.5
Tencent		20201228	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20201228	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (7 个事件)

Time & API	Arguments	Status	Return
1619164888.112875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619164888.143875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619164888.159875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619164888.174875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619164891.768875 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619164891.768875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619164904.034375 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134517.271279 IsDebuggerPresent		failed	0	0
1619134517.271279 IsDebuggerPresent		failed	0	0
1619164888.612875 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619164904.612375 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\xOAVylIcjaiz"。 console_handle: 0x00000007	success	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)

Time & API	Arguments	Status	Return
1619164889.721875 CryptExportKey	crypto_handle: 0x004ee068 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.518875 CryptExportKey	crypto_handle: 0x004edf28 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.518875 CryptExportKey	crypto_handle: 0x004edf28 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.518875 CryptExportKey	crypto_handle: 0x004edf28 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.581875 CryptExportKey	crypto_handle: 0x004edf28 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.581875 CryptExportKey	crypto_handle: 0x004edf28 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.581875 CryptExportKey	crypto_handle: 0x004edf28 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.596875 CryptExportKey	crypto_handle: 0x004edf28 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.628875 CryptExportKey	crypto_handle: 0x004ed468 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.628875 CryptExportKey	crypto_handle: 0x004ed468 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.659875 CryptExportKey	crypto_handle: 0x004ed468 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.659875 CryptExportKey	crypto_handle: 0x004ed468 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.659875 CryptExportKey	crypto_handle: 0x004ed468 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.659875 CryptExportKey	crypto_handle: 0x004ed468 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.940875 CryptExportKey	crypto_handle: 0x004ed9a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.940875 CryptExportKey	crypto_handle: 0x004ed9a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.940875 CryptExportKey	crypto_handle: 0x004ed9a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.956875 CryptExportKey	crypto_handle: 0x004ed9a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.956875 CryptExportKey	crypto_handle: 0x004ed9a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.956875 CryptExportKey	crypto_handle: 0x004ed9a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164890.971875 CryptExportKey	crypto_handle: 0x004ed9a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.456875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004ed8a8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.471875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.534875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.534875 CryptExportKey	crypto_handle: 0x004edd68 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.628875 CryptExportKey	crypto_handle: 0x004edca8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.628875 CryptExportKey	crypto_handle: 0x004edca8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.628875 CryptExportKey	crypto_handle: 0x004edca8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.628875 CryptExportKey	crypto_handle: 0x004edca8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.628875 CryptExportKey	crypto_handle: 0x004edca8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.628875 CryptExportKey	crypto_handle: 0x004edca8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.643875 CryptExportKey	crypto_handle: 0x004edca8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.706875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.706875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.846875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.846875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.862875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.862875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.862875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.862875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619164891.862875 CryptExportKey	crypto_handle: 0x004ed328 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134517.318279 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (9 个事件)

domain	mypepsi22.duckdns.org
domain	kenya8.duckdns.org
domain	ikorodu2.duckdns.org
domain	mypepsi25.duckdns.org
domain	mypepsi36.duckdns.org
domain	mypepsi34.duckdns.org
domain	mypepsi32.duckdns.org
domain	ikorodu1.duckdns.org
domain	kenya7.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 217 个事件)

Time & API	Arguments	Status
1619134516.630279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00330000	success
1619134516.630279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00360000	success
1619134517.068279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00c60000	success
1619134517.068279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00de0000	success
1619134517.177279 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619134517.271279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00e20000	success
1619134517.271279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f90000	success
1619134517.271279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0041a000	success
1619134517.286279 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619134517.286279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00412000	success
1619134517.489279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00422000	success
1619134517.599279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00445000	success
1619134517.599279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044b000	success
1619134517.599279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00447000	success
1619134517.677279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00423000	success
1619134517.724279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042c000	success
1619134518.036279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00424000	success
1619134518.052279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00426000	success
1619134518.146279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f0000	success
1619134518.271279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00427000	success
1619134518.318279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success
1619134518.318279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success
1619134518.443279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00428000	success
1619134518.458279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f91000	success
1619134518.474279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f92000	success
1619134518.489279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00436000	success
1619134518.505279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f1000	success
1619134518.505279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f93000	success
1619134518.505279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f94000	success
1619134518.536279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f95000	success
1619134518.536279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f99000	success
1619134518.536279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f2000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00429000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00610000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00611000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00612000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00613000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00614000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00615000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00616000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00617000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00618000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00619000	success
1619134518.786279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0061a000	success
1619134518.802279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0061b000	success
1619134518.833279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f3000	success
1619134519.052279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042a000	success
1619134519.255279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00de1000	success
1619134519.318279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0061c000	success
1619134519.427279 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0061d000	success

A process attempted to delay the analysis task. (1 个事件)

description

0786f625f3196609ae56906c590fa353.exe tried to sleep 258 seconds, actually delayed analysis time by 258 seconds

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 个事件)

cmdline	schtasks.exe /Create /TN "Updates\xOAVylIcjaiz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA4D6.tmp"
cmdline	"powershell" Get-MpPreference -verbose
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOAVylIcjaiz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA4D6.tmp"

A process created a hidden window (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134520.208279 CreateProcessInternalW	thread_identifier: 1060 thread_handle: 0x00000278 process_identifier: 944 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000284 inherit_handles: 1	success	1	0
1619134538.255279 ShellExecuteExW	parameters: /Create /TN "Updates\xOAVylIcjaiz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA4D6.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.4153778529381045

section

{'size_of_data': '0x00050800', 'virtual_address': '0x00002000', 'entropy': 7.4153778529381045, 'name': '.text', 'virtual_size': '0x00050638'}

description

A section with a high entropy has been found

entropy

0.9922958397534669

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619164889.581875 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\xOAVylIcjaiz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA4D6.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOAVylIcjaiz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA4D6.tmp"

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: fa41c45575fc8fbce165a7335ae93c858023b2e9

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134540.208279 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000037c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: @ process_handle: 0x0000037c base_address: 0x7efde008	success	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619164906.22125 SetWindowsHookExA	thread_identifier: 0 callback_function: 0x004051ae module_address: 0x00000000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	524635	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 called NtSetContextThread to modify thread in remote process 1272
1619134540.208279 NtSetContextThread	thread_handle: 0x00000380 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274820 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1272	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 resumed a thread in remote process 1272
1619134540.443279 NtResumeThread	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 1272	success	0	0

Disables Windows Security features (4 个事件)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619134517.271279 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 472	success	0
1619134517.302279 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 472	success	0
1619134517.333279 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 472	success	0
1619134520.208279 CreateProcessInternalW	thread_identifier: 1060 thread_handle: 0x00000278 process_identifier: 944 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000284 inherit_handles: 1	success	1
1619134538.255279 CreateProcessInternalW	thread_identifier: 1908 thread_handle: 0x0000038c process_identifier: 1888 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xOAVylIcjaiz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA4D6.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000003c4 inherit_handles: 0	success	1
1619134540.193279 CreateProcessInternalW	thread_identifier: 2296 thread_handle: 0x00000380 process_identifier: 1272 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0786f625f3196609ae56906c590fa353.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0786f625f3196609ae56906c590fa353.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000037c inherit_handles: 0	success	1
1619134540.208279 NtGetContextThread	thread_handle: 0x00000380	success	0
1619134540.208279 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000037c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: process_handle: 0x0000037c base_address: 0x00400000	success	1
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: process_handle: 0x0000037c base_address: 0x00401000	success	1
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: process_handle: 0x0000037c base_address: 0x00414000	success	1
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: process_handle: 0x0000037c base_address: 0x0041a000	success	1
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: process_handle: 0x0000037c base_address: 0x0041c000	success	1
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: process_handle: 0x0000037c base_address: 0x0041d000	success	1
1619134540.208279 WriteProcessMemory	process_identifier: 1272 buffer: @ process_handle: 0x0000037c base_address: 0x7efde008	success	1
1619134540.208279 NtSetContextThread	thread_handle: 0x00000380 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274820 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1272	success	0
1619134540.443279 NtResumeThread	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 1272	success	0
1619164888.612875 NtResumeThread	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 944	success	0
1619164888.643875 NtResumeThread	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 944	success	0
1619164892.331875 NtResumeThread	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 944	success	0
1619164893.034875 NtResumeThread	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 944	success	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.InjectNET.14
MicroWorld-eScan	Trojan.GenericKD.33735976
FireEye	Generic.mg.0786f625f3196609
CAT-QuickHeal	Trojanpws.Msil
Qihoo-360	Generic/Trojan.PSW.374
McAfee	GenericRXKI-TW!0786F625F319
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.GenericKD.33735976
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.5f3196
Cyren	W32/MSIL_Kryptik.APP.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Alibaba	TrojanPSW:MSIL/AgentTesla.1b7804b6
AegisLab	Trojan.Multi.Generic.4!c
Ad-Aware	Trojan.GenericKD.33735976
Sophos	Mal/Generic-S + Troj/Remcos-QR
Comodo	Malware@#3pqx2s839jtl9
F-Secure	Trojan.TR/AD.Remcos.svtpz
TrendMicro	TROJ_GEN.R002C0DLB20
McAfee-GW-Edition	GenericRXKI-TW!0786F625F319
Emsisoft	Trojan.GenericKD.33735976 (B)
Jiangmin	Trojan.PSW.MSIL.xlx
Webroot	W32.Trojan.Gen
Avira	TR/AD.Remcos.svtpz
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.Sonbokli
Microsoft	Trojan:MSIL/AgentTesla.MX!MTB
Arcabit	Trojan.Generic.D202C528
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.33735976
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.GenKryptik.C4082093
VBA32	TScope.Trojan.MSIL
Malwarebytes	Spyware.AgentTesla
Panda	Trj/GdSda.A
ESET-NOD32	a variant of MSIL/Kryptik.VRL
TrendMicro-HouseCall	TROJ_GEN.R002C0DLB20
Yandex	Trojan.Igent.bTDF5J.62
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.ELBN!tr
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)
MaxSecure	Trojan.Malware.74499699.susgen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-28 02:32:39

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
mypepsi34.duckdns.org
kenya7.duckdns.org	A 192.169.69.25	192.169.69.25
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
mypepsi36.duckdns.org
kenya8.duckdns.org	A 192.169.69.25	192.169.69.25
ikorodu2.duckdns.org
mypepsi25.duckdns.org
mypepsi22.duckdns.org
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
ikorodu1.duckdns.org
mypepsi32.duckdns.org
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49187	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49188	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49190	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49191	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49193	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49194	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49195	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49196	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49199	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49200	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49201	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49202	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49203	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49204	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49207	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49208	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49210	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49211	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49212	192.169.69.25 kenya8.duckdns.org	7722
192.168.56.101	49213	192.169.69.25 kenya8.duckdns.org	7722

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.