SmartHawk

9.4

极危

54 个模型检测该样本为恶意！

重新分析

下载样本

c9880b54eff052551b910427ebe39f02e2af781c99336b9f5bbb1a9ba41e0e19

08ad7896d01b04a00b797f7a5c826d21.exe

分析耗时

23s

最近分析

文件大小

691.0KB

静态报毒动态报毒 AI SCORE=85 ALI2000015 ARTEMIS ATTRIBUTE CLOUD CONFIDENCE DELF DELFINJECT DELPHILESS EMVU EMZL FAREIT FILEREPMALWARE GENERICKD HIGHCONFIDENCE HQHMGY KRYPTIK LOKIBOT R002C0DH420 RMGFAOIAOBNI SCORE SIGGEN10 SUSGEN SUSPICIOUS PE TSCOPE UNSAFE X2091 YNHQK ZELPHIF ZSHP 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!08AD7896D01B	20200820	6.0.6.653
Alibaba	Trojan:Win32/DelfInject.ali2000015	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20200820	18.4.3895.0
Tencent	Win32.Trojan.Kryptik.Gvt	20200820	1.0.0.1
Kingsoft		20200820	2013.8.14.323
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619160724.101374 __exception__	stacktrace: CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73 GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7484e97b GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7484ea8f RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7484b25a RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7484b4c7 RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7484ac75 RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7484aed6 CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74845511 _CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7484559e CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x750f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x750f4de3 08ad7896d01b04a00b797f7a5c826d21+0x98a4d @ 0x498a4d 08ad7896d01b04a00b797f7a5c826d21+0x91254 @ 0x491254 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1634372 registers.edi: 2 registers.eax: 1 registers.ebp: 1634412 registers.edx: 228 registers.ebx: 983045 registers.esi: 1634532 registers.ecx: 228 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfdaf14ad	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619160724.101374
__exception__

stacktrace:

CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x7484e97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x7484ea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x7484b25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x7484b4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x7484ac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x7484aed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74845511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x7484559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x750f7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x750f4de3
08ad7896d01b04a00b797f7a5c826d21+0x98a4d @ 0x498a4d
08ad7896d01b04a00b797f7a5c826d21+0x91254 @ 0x491254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdaf14ad

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (30 个事件)

Time & API	Arguments	Status
1619134515.600633 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00370000	success
1619134515.819633 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00476000	success
1619134515.819633 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success
1619160721.960374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619160722.054374 NtAllocateVirtualMemory	process_identifier: 648 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01f70000	success
1619160722.054374 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02070000	success
1619160722.054374 NtAllocateVirtualMemory	process_identifier: 648 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f70000	success
1619160722.054374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 565248 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f72000	success
1619160722.695374 NtAllocateVirtualMemory	process_identifier: 648 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02290000	success
1619160722.695374 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02390000	success
1619160724.054374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.054374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76353000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76354000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00592000	success
1619160724.070374 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76351000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrom.vbs

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.854503064824923

section

{'size_of_data': '0x000ab000', 'virtual_address': '0x0006b000', 'entropy': 7.854503064824923, 'name': 'UPX1', 'virtual_size': '0x000ab000'}

description

A section with a high entropy has been found

entropy

0.991304347826087

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134516.428633 NtAllocateVirtualMemory	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success	0	0

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrom.vbs

Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 created a thread in remote process 3040
1619134516.444633 NtQueueApcThread	thread_handle: 0x000000f8 process_identifier: 3040 function_address: 0x000f05c0 parameter: 0x00100000	success	0	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134516.428633 WriteProcessMemory	process_identifier: 3040 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x000000fc base_address: 0x000f0000	success	1	0
1619134516.428633 WriteProcessMemory	process_identifier: 3040 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\08ad7896d01b04a00b797f7a5c826d21.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\08ad7896d01b04a00b797f7a5c826d21.exe" chromSeT hrpyiMZTvTkYf = cReATeobJecT("wsCrIPt.sHeLL") hRpYiMZTVtkYf.run """%ls""", 0, False process_handle: 0x000000fc base_address: 0x00100000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 called NtSetContextThread to modify thread in remote process 648
1619134516.615633 NtSetContextThread	thread_handle: 0x00000104 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5420128 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 648	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 resumed a thread in remote process 648
1619134517.115633 NtResumeThread	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 648	success	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (11 个事件)

Time & API	Arguments	Status	Return
1619134516.428633 CreateProcessInternalW	thread_identifier: 2976 thread_handle: 0x000000f8 process_identifier: 3040 current_directory: filepath: C:\Windows\System32\notepad.exe track: 1 command_line: filepath_r: C:\Windows\system32\notepad.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x000000fc inherit_handles: 0	success	1
1619134516.428633 NtAllocateVirtualMemory	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success	0
1619134516.428633 NtAllocateVirtualMemory	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x000000fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00100000	success	0
1619134516.428633 WriteProcessMemory	process_identifier: 3040 buffer: Q¹0d@@@$$YÃVWR¾§ÆgNèYøv· ¿Zwf;Ït ¿Ntf;ÏuÂèÀtÎÁáþÁïÏ¾:Ï3ñBHué_Æ^ÃUìQQMSVWÉt;¸MZf9u1A<Át*8PEu"@xeüÁxX$p @ùÙñEøÀu 3À_^[ÉÃMEüÑèOÿÿÿ;Et ÿEüEü;Eøràë×Eü·CEëÊUìQSW3ÿWWjWjh@ÿuÿVØûÿu3Àë&WWWS}üÿV0W}EüPWÿuSÿVSÿV3À9}üÀ_[ÉÃÉtèÀt3ÉfÃUììVðäüÿÿP3ÀPPjPÿVlÀj\XfEü3Àj.fEþXjvfEðXfEòjbXfEôjsXfEö3ÀfEøUüäüÿÿèÖUèÎUðèÆÿuìþÿÿÿuPÿVxÄäüÿÿPÿVìþÿÿPèÂ@PìþÿÿPäüÿÿPèîþÿÿÄ^ÉÃUìì,j:XjZfEÜXjofEÞXjnfEàXjefEâXjIfEäXjdfEæXjefEèXjnfEêXjtfEìXjifEîXjffEðXjifEòXfEôjeXfEöjrXfEø3ÀfEúÔýÿÿè¬UÜè÷EÿPÆEÿèPEÿPÔýÿÿPè?þÿÿÄÉÃUìQeüVðEüPÿuèþYYÀt}ütÿuüPÿuèþÿÿÄÀt3À@ë3À^ÉÃUììSVðÏøýÿÿè'Èè(þÿÿ3ÛSøýÿÿPÿVWÿV8]uWÿuÆè~ÿÿÿYYØë }u5SWÿuÿWÿV(3ÛøÿÏÃèªþÿÿûu9]uWÿV(ÈPWÿV,3À@ë3À^[ÉÃUììSVWèsüÿÿøÿ"h"¿WèÌüÿÿØYYÛjh0hjÿÓðöñh¼Û«½W~`^@èüÿÿhÒ¼WF$èüÿÿh\|QgjWF(èyüÿÿhëIWF,èküÿÿhå©WF0è]üÿÿh¥°(WF4èOüÿÿh)·WF8èAüÿÿh[uðWFDè3üÿÿÄ@ØhdóuW^ è üÿÿh¢¦aëWFèüÿÿhÕOd"WFèüÿÿhy.ÃWFèöûÿÿh±÷WFèèûÿÿheóW÷WFèÚûÿÿh¯4PWFèÌûÿÿh{=#WF<è¾ûÿÿÄ@hOû~ WFèûÿÿhà=!6WFHèûÿÿhh#WèûÿÿFLhÍeWèûÿÿhÓ1ÆVWFPèvûÿÿh7½WFTèhûÿÿh£-ãWFXèZûÿÿF\Ä8EðPÇEðshelÇEôl32ÿÓøÿt"hÀåz°W~dè,ûÿÿhêêºWFlèûÿÿÄFpEøPÇEøuserfÇEü32ÆEþÿV øÿtAhqV°0W~hèìúÿÿhkV°0WFxèÞúÿÿh&cjWFtèÐúÿÿh<cjWF\|èÂúÿÿÄ Æë3À_^[ÉÃUìì\VuW3ÿ;÷îSè¤ýÿÿØ;ßuWÿDéÕEüPëj2ÿSPÿuüWWÿSLÀuïjdÿSPFEøE9>tYÿ¶¶QP¾Ãè¾üÿÿ}3ÿÄ9>t1jDE¤WPèjEèWPèüÄEèPE¤PWWj WWWWÿuÿS$9¾(tlP,PÿuÃè½úÿÿÄ9¾tëj2ÿSPÿuüWWÿSLÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂUììSW3ÿWWjWjhÿu}øÿVØûÿu3Àë>WSÿVEô;Çt+jh0PWÿV@Eø;ÇtWMüQÿuô}üPSÿVEüMSÿVEø_[ÉÃ·ffÒtVð+ñÁ·ffÒuñ^ÃUìQQEEüEüEEøEü;EøtEüMEü@EüëçEÉÃf8Vðt Æf>u÷+ò· fÂfÉuñ^ÃD$@Éuù+D$HÃÉu3ÀÃf9Át Àf8u÷+ÁÑøÃÉt èÚÿÿÿÀtDAþë fù\t è·fÉuï3ÀÃ process_handle: 0x000000fc base_address: 0x000f0000	success	1
1619134516.428633 WriteProcessMemory	process_identifier: 3040 buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\08ad7896d01b04a00b797f7a5c826d21.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\08ad7896d01b04a00b797f7a5c826d21.exe" chromSeT hrpyiMZTvTkYf = cReATeobJecT("wsCrIPt.sHeLL") hRpYiMZTVtkYf.run """%ls""", 0, False process_handle: 0x000000fc base_address: 0x00100000	success	1
1619134516.537633 CreateProcessInternalW	thread_identifier: 732 thread_handle: 0x00000104 process_identifier: 648 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\08ad7896d01b04a00b797f7a5c826d21.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000100 inherit_handles: 0	success	1
1619134516.537633 NtUnmapViewOfSection	process_identifier: 648 region_size: 4096 process_handle: 0x00000100 base_address: 0x00400000	success	0
1619134516.537633 NtMapViewOfSection	section_handle: 0x0000010c process_identifier: 648 commit_size: 1232896 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000100 allocation_type: 0 () section_offset: 0 view_size: 1232896 base_address: 0x00400000	success	0
1619134516.615633 NtGetContextThread	thread_handle: 0x00000104	success	0
1619134516.615633 NtSetContextThread	thread_handle: 0x00000104 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5420128 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 648	success	0
1619134517.115633 NtResumeThread	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 648	success	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

MicroWorld-eScan	Trojan.GenericKD.43589184
FireEye	Generic.mg.08ad7896d01b04a0
CAT-QuickHeal	Trojan.Kryptik
McAfee	Artemis!08AD7896D01B
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056bde41 )
Alibaba	Trojan:Win32/DelfInject.ali2000015
K7GW	Trojan ( 0056bde41 )
Cybereason	malicious.8d6824
TrendMicro	TROJ_GEN.R002C0DH420
BitDefenderTheta	Gen:NN.ZelphiF.34186.RmGfaOIAobni
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
GData	Trojan.GenericKD.43589184
Kaspersky	HEUR:Trojan.Win32.Kryptik.gen
BitDefender	Trojan.GenericKD.43589184
NANO-Antivirus	Trojan.Win32.Kryptik.hqhmgy
Paloalto	generic.ml
Tencent	Win32.Trojan.Kryptik.Gvt
Ad-Aware	Trojan.GenericKD.43589184
Emsisoft	Trojan.GenericKD.43589184 (B)
F-Secure	Trojan.TR/Injector.ynhqk
DrWeb	Trojan.Siggen10.111
Zillya	Trojan.Delf.Win32.127114
Invincea	heuristic
Sophos	Mal/Generic-S
SentinelOne	DFI - Suspicious PE
Cyren	W32/Trojan.ZSHP-6226
Jiangmin	Trojan.Kryptik.bzt
Avira	TR/Injector.ynhqk
Antiy-AVL	Trojan/Win32.Injector
Arcabit	Trojan.Generic.D2991E40
AegisLab	Trojan.Win32.Kryptik.4!c
ZoneAlarm	HEUR:Trojan.Win32.Kryptik.gen
Microsoft	PWS:Win32/Fareit.SM!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Suspicious/Win.Delphiless.X2091
VBA32	TScope.Trojan.Delf
ALYac	Trojan.GenericKD.43589184
MAX	malware (ai score=85)
Malwarebytes	Spyware.LokiBot
ESET-NOD32	a variant of Win32/Injector.EMVU
TrendMicro-HouseCall	TROJ_GEN.R002C0DH420
Rising	Trojan.Injector!1.C97E (CLOUD)
Ikarus	Trojan.Inject
eGambit	Unsafe.AI_Score_94%
Fortinet	W32/Injector.EMZL!tr

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:

• 0x517650 LoadLibraryA

• 0x517654 GetProcAddress

• 0x517658 VirtualProtect

• 0x51765c VirtualAlloc

• 0x517660 VirtualFree

• 0x517664 ExitProcess

Library advapi32.dll:

• 0x51766c RegCloseKey

Library comctl32.dll:

• 0x517674 ImageList_Add

Library comdlg32.dll:

• 0x51767c GetOpenFileNameA

Library gdi32.dll:

• 0x517684 SaveDC

Library ole32.dll:

• 0x51768c OleDraw

Library oleaut32.dll:

• 0x517694 VariantCopy

Library user32.dll:

• 0x51769c GetDC

Library version.dll:

• 0x5176a4 VerQueryValueA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.