SmartHawk

8.8

极危

56 个模型检测该样本为恶意！

重新分析

下载样本

a9ee569395b89fd6a4a129896d38f1ed68fb6b512bbd54cdf570ec4f2ea70497

08d86d476773456cc9c8b6724aba55c7.exe

分析耗时

78s

最近分析

文件大小

505.5KB

静态报毒动态报毒 AI SCORE=89 ALI1000123 ATTRIBUTE BLUTEAL BUQC6K CKFGK DYSGZE ELDORADO FAREIT FM0@AEV5PAD GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HVYBQB IGENT INJECT3 KCLOUD KRYPTIK MALICIOUS PE MALWARE@#1WM4SS36XC1IQ NEGASTEAL PWSX RUNNER SCORE STATIC AI SWOTTER TASKUN TSCOPE UNSAFE WACATAC XCEHFB4YTVT YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FZY!08D86D476773	20210127	6.0.6.653
Alibaba	Trojan:Win32/runner.ali1000123	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20210127	21.1.5827.0
Tencent	Msil.Trojan.Taskun.Hzc	20210127	1.0.0.1
Kingsoft	Win32.Troj.Undef.(kcloud)	20210127	2017.9.26.565

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119622.604503 IsDebuggerPresent		failed	0	0
1620119622.604503 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119622.651503 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 91 个事件)

Time & API	Arguments	Status
1620119621.667503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00530000	success
1620119621.667503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a0000	success
1620119622.073503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005e0000	success
1620119622.073503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b0000	success
1620119622.260503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1620119622.604503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00530000	success
1620119622.604503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00550000	success
1620119622.620503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0034a000	success
1620119622.620503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1620119622.620503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00342000	success
1620119623.026503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00352000	success
1620119623.104503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00375000	success
1620119623.104503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0037b000	success
1620119623.104503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00377000	success
1620119623.198503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00353000	success
1620119623.213503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0035c000	success
1620119623.276503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00920000	success
1620119623.307503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00354000	success
1620119623.307503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00921000	success
1620119623.338503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00922000	success
1620119623.495503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00923000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0014f000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0014f000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x000d0000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x000d0000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x000d0000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x000d2000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013d000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013d000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013d000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013d000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.510503 NtProtectVirtualMemory	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0013e000	success
1620119623.573503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00355000	success
1620119623.573503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00356000	success
1620119623.963503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00357000	success
1620119623.979503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00359000	success
1620119624.120503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00924000	success
1620119624.120503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1620119624.245503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0036a000	success
1620119624.245503 NtAllocateVirtualMemory	process_identifier: 200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00367000	success

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.733965982874692

section

{'size_of_data': '0x0007da00', 'virtual_address': '0x00002000', 'entropy': 7.733965982874692, 'name': '.text', 'virtual_size': '0x0007d8f4'}

description

A section with a high entropy has been found

entropy

0.995049504950495

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119676.510503 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119676.885503 NtTerminateProcess	status_code: 0xffffffff process_identifier: 520 process_handle: 0x00000240	failed	0	0
1620119676.885503 NtTerminateProcess	status_code: 0xffffffff process_identifier: 520 process_handle: 0x00000240	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119676.479503 NtAllocateVirtualMemory	process_identifier: 520 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000230 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1620119676.979503 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000244 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 200 manipulating memory of non-child process 520
1620119676.479503 NtAllocateVirtualMemory	process_identifier: 520 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000230 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119676.979503 WriteProcessMemory	process_identifier: 2316 buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $s5ê7p[¹7p[¹7p[¹Xð¹qp[¹XÅ¹4p[¹XÆ¹6p[¹Rich7p[¹PELþzd<à Äêà@à@.textDÂÄ ` process_handle: 0x00000244 base_address: 0x00400000	success	1	0
1620119676.979503 WriteProcessMemory	process_identifier: 2316 buffer: @ process_handle: 0x00000244 base_address: 0xfffde008	success	1	0

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119676.979503 WriteProcessMemory	process_identifier: 2316 buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $s5ê7p[¹7p[¹7p[¹Xð¹qp[¹XÅ¹4p[¹XÆ¹6p[¹Rich7p[¹PELþzd<à Äêà@à@.textDÂÄ ` process_handle: 0x00000244 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 200 called NtSetContextThread to modify thread in remote process 2316
1620119676.979503 NtSetContextThread	thread_handle: 0x00000240 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319872 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 process_identifier: 2316	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 200 resumed a thread in remote process 2316
1620119677.229503 NtResumeThread	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2316	success	0	0

Executed a process and injected code into it, probably while unpacking (14 个事件)

Time & API	Arguments	Status	Return
1620119622.604503 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 200	success	0
1620119622.635503 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 200	success	0
1620119622.713503 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 200	success	0
1620119676.479503 CreateProcessInternalW	thread_identifier: 1812 thread_handle: 0x0000022c process_identifier: 520 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000230 inherit_handles: 0	success	1
1620119676.479503 NtGetContextThread	thread_handle: 0x0000022c	success	0
1620119676.479503 NtAllocateVirtualMemory	process_identifier: 520 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000230 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1620119676.963503 CreateProcessInternalW	thread_identifier: 2940 thread_handle: 0x00000240 process_identifier: 2316 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000244 inherit_handles: 0	success	1
1620119676.979503 NtGetContextThread	thread_handle: 0x00000240	success	0
1620119676.979503 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000244 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1620119676.979503 WriteProcessMemory	process_identifier: 2316 buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $s5ê7p[¹7p[¹7p[¹Xð¹qp[¹XÅ¹4p[¹XÆ¹6p[¹Rich7p[¹PELþzd<à Äêà@à@.textDÂÄ ` process_handle: 0x00000244 base_address: 0x00400000	success	1
1620119676.979503 WriteProcessMemory	process_identifier: 2316 buffer: process_handle: 0x00000244 base_address: 0x00401000	success	1
1620119676.979503 WriteProcessMemory	process_identifier: 2316 buffer: @ process_handle: 0x00000244 base_address: 0xfffde008	success	1
1620119676.979503 NtSetContextThread	thread_handle: 0x00000240 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319872 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 process_identifier: 2316	success	0
1620119677.229503 NtResumeThread	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2316	success	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34502352
FireEye	Generic.mg.08d86d476773456c
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FZY!08D86D476773
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0056e1411 )
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 0056e1411 )
Cybereason	malicious.767734
Arcabit	Trojan.Generic.D20E76D0
Cyren	W32/MSIL_Kryptik.BPO.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.GenericKD.34502352
NANO-Antivirus	Trojan.Win32.Taskun.hvybqb
Paloalto	generic.ml
Tencent	Msil.Trojan.Taskun.Hzc
Ad-Aware	Trojan.GenericKD.34502352
Emsisoft	Trojan.GenericKD.34502352 (B)
Comodo	Malware@#1wm4ss36xc1iq
F-Secure	Trojan.TR/AD.Swotter.ckfgk
DrWeb	Trojan.Inject3.58842
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.DYSGZE
McAfee-GW-Edition	BehavesLike.Win32.Fareit.hc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Avira	TR/AD.Swotter.ckfgk
Antiy-AVL	Trojan/MSIL.Taskun
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Wacatac.oa
Microsoft	Trojan:Win32/Bluteal!rfn
AegisLab	Trojan.MSIL.Taskun.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
GData	Trojan.GenericKD.34502352
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Agent.C4194934
BitDefenderTheta	Gen:NN.ZemsilF.34780.Fm0@aev5pAd
ALYac	Trojan.GenericKD.34502352
MAX	malware (ai score=89)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
Zoner	Trojan.Win32.93723
ESET-NOD32	a variant of MSIL/Kryptik.XRN
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.DYSGZE
Rising	Trojan.Kryptik!8.8 (TFE:C:XceHfb4YTVT)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-10 12:42:16

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.