SmartHawk

11.6

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

80a8c00df782ec203cf31be346d36603cb084a829418a2459114fe9267078cc3

094ed8f06b37845319686b3da7f77c42.exe

分析耗时

85s

最近分析

文件大小

456.5KB

静态报毒动态报毒 AI SCORE=83 ATTRIBUTE BUDYSY CM0@AOIZXSL CONFIDENCE ELDORADO FCSU FORMBOOK GENERICKD HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HRLMRD IGENT KRYPTIK MALICIOUS PE MALWARE@#39ATGC5FX3YFU MASSLOGGER PACKEDNET PWSX PXKJS SCORE STATIC AI SUSGEN THIBDBO UNSAFE YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	PWS-FCSU!094ED8F06B37	20201211	6.0.6.653
Baidu		20190318	1.0.0.2
Alibaba	Trojan:MSIL/Formbook.06714725	20190527	0.3.0.5
Tencent	Msil.Trojan.Agent.Eyo	20201211	1.0.0.1
Kingsoft		20201211	2017.9.26.565
Avast	Win32:PWSX-gen [Trj]	20201210	21.1.5827.0
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1619142178.092625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619142194.889875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619142196.780875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619142199.811875 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (50 out of 113 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134512.345408 IsDebuggerPresent		failed	0	0
1619134513.189408 IsDebuggerPresent		failed	0	0
1619134513.689408 IsDebuggerPresent		failed	0	0
1619134514.189408 IsDebuggerPresent		failed	0	0
1619134514.689408 IsDebuggerPresent		failed	0	0
1619134515.189408 IsDebuggerPresent		failed	0	0
1619134515.689408 IsDebuggerPresent		failed	0	0
1619134516.189408 IsDebuggerPresent		failed	0	0
1619134516.689408 IsDebuggerPresent		failed	0	0
1619134517.189408 IsDebuggerPresent		failed	0	0
1619134517.689408 IsDebuggerPresent		failed	0	0
1619134518.189408 IsDebuggerPresent		failed	0	0
1619134518.689408 IsDebuggerPresent		failed	0	0
1619134519.189408 IsDebuggerPresent		failed	0	0
1619134519.689408 IsDebuggerPresent		failed	0	0
1619134520.189408 IsDebuggerPresent		failed	0	0
1619134520.689408 IsDebuggerPresent		failed	0	0
1619134521.189408 IsDebuggerPresent		failed	0	0
1619134521.689408 IsDebuggerPresent		failed	0	0
1619134522.189408 IsDebuggerPresent		failed	0	0
1619134522.689408 IsDebuggerPresent		failed	0	0
1619134523.189408 IsDebuggerPresent		failed	0	0
1619134523.689408 IsDebuggerPresent		failed	0	0
1619134524.189408 IsDebuggerPresent		failed	0	0
1619134524.689408 IsDebuggerPresent		failed	0	0
1619134525.189408 IsDebuggerPresent		failed	0	0
1619134525.689408 IsDebuggerPresent		failed	0	0
1619134526.189408 IsDebuggerPresent		failed	0	0
1619134526.689408 IsDebuggerPresent		failed	0	0
1619134527.189408 IsDebuggerPresent		failed	0	0
1619134527.689408 IsDebuggerPresent		failed	0	0
1619134528.189408 IsDebuggerPresent		failed	0	0
1619134528.689408 IsDebuggerPresent		failed	0	0
1619134529.189408 IsDebuggerPresent		failed	0	0
1619134529.689408 IsDebuggerPresent		failed	0	0
1619134530.189408 IsDebuggerPresent		failed	0	0
1619134530.689408 IsDebuggerPresent		failed	0	0
1619134531.189408 IsDebuggerPresent		failed	0	0
1619134531.689408 IsDebuggerPresent		failed	0	0
1619134532.189408 IsDebuggerPresent		failed	0	0
1619134532.689408 IsDebuggerPresent		failed	0	0
1619134533.189408 IsDebuggerPresent		failed	0	0
1619134533.689408 IsDebuggerPresent		failed	0	0
1619134534.189408 IsDebuggerPresent		failed	0	0
1619134534.689408 IsDebuggerPresent		failed	0	0
1619134535.189408 IsDebuggerPresent		failed	0	0
1619134535.689408 IsDebuggerPresent		failed	0	0
1619134536.189408 IsDebuggerPresent		failed	0	0
1619134536.689408 IsDebuggerPresent		failed	0	0
1619134537.189408 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619142178.686625 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\GJbjAVYNgFovG"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134556.736408 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619142199.077875 __exception__	stacktrace: 0x46ae845 0x46ada98 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1569168 registers.edi: 1569200 registers.eax: 0 registers.ebp: 1569216 registers.edx: 158 registers.ebx: 0 registers.esi: 40740564 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 b8 a1 a5 56 3f eb 86 8b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x46aec59	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619142199.077875
__exception__

stacktrace:

0x46ae845
0x46ada98
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1569168
registers.edi: 1569200
registers.eax: 0
registers.ebp: 1569216
registers.edx: 158
registers.ebx: 0
registers.esi: 40740564
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 b8 a1 a5 56 3f eb 86 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x46aec59

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 122 个事件)

Time & API	Arguments	Status	Return
1619134511.486408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00760000	success	0
1619134511.486408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007e0000	success	0
1619134512.220408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success	0
1619134512.361408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042a000	success	0
1619134512.361408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success	0
1619134512.361408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00422000	success	0
1619134512.564408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00432000	success	0
1619134512.626408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00433000	success	0
1619134512.658408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004ab000	success	0
1619134512.658408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a7000	success	0
1619134512.673408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043c000	success	0
1619134512.736408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success	0
1619134512.892408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success	0
1619134512.986408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049a000	success	0
1619134513.001408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00492000	success	0
1619134513.048408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00434000	success	0
1619134513.064408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a5000	success	0
1619134513.267408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00651000	success	0
1619134513.329408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success	0
1619134513.329408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success	0
1619134513.423408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00435000	success	0
1619134554.423408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00652000	success	0
1619134554.470408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042b000	success	0
1619134554.720408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049c000	success	0
1619134554.736408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00653000	success	0
1619134554.783408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00486000	success	0
1619134554.798408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00436000	success	0
1619134554.798408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00654000	success	0
1619134554.876408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 252928 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05180400	failed	3221225550
1619134559.361408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00655000	success	0
1619134559.376408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00656000	success	0
1619134559.376408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success	0
1619134559.392408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00657000	success	0
1619134559.392408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00658000	success	0
1619134559.501408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00659000	success	0
1619134559.704408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065a000	success	0
1619134559.923408 NtAllocateVirtualMemory	process_identifier: 472 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065b000	success	0
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05180178	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051801a0	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051801c8	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051801f0	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05180218	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be90e	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be902	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be000	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be91c	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be940	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be948	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be94c	failed	3221225550
1619134559.939408 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x051be954	failed	3221225550

A process attempted to delay the analysis task. (1 个事件)

description

094ed8f06b37845319686b3da7f77c42.exe tried to sleep 160 seconds, actually delayed analysis time by 160 seconds

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\GJbjAVYNgFovG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEFA.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJbjAVYNgFovG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEFA.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134560.689408 ShellExecuteExW	parameters: /Create /TN "Updates\GJbjAVYNgFovG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEFA.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.882318116924962

section

{'size_of_data': '0x00064400', 'virtual_address': '0x00002000', 'entropy': 7.882318116924962, 'name': '.text', 'virtual_size': '0x00064224'}

description

A section with a high entropy has been found

entropy

0.8793859649122807

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134512.939408 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619142194.139875 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (4 个事件)

Time & API	Arguments	Status
1619134563.486408 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2272 process_handle: 0x000113ac	failed
1619134563.486408 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2272 process_handle: 0x000113ac	success
1619134563.829408 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1816 process_handle: 0x0000849c	failed
1619134563.829408 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1816 process_handle: 0x0000849c	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\GJbjAVYNgFovG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEFA.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJbjAVYNgFovG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEFA.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (3 个事件)

Time & API	Arguments	Status	Return
1619134563.283408 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d618 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134563.626408 NtAllocateVirtualMemory	process_identifier: 1816 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000113c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134563.923408 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001bfc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEFA.tmp

Manipulates memory of a non-child process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 manipulating memory of non-child process 2272
Process injection	Process 472 manipulating memory of non-child process 1816
1619134563.283408 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d618 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619134563.626408 NtAllocateVirtualMemory	process_identifier: 1816 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000113c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619134563.923408 WriteProcessMemory	process_identifier: 2576 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Å)_àR~q @ À@,qOø H.textQ R `.rsrcøT@@.reloc X@B process_handle: 0x00001bfc base_address: 0x00400000	success	1
1619134563.939408 WriteProcessMemory	process_identifier: 2576 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNamezSwFDPOAakOXeJZvuBrQbxaOOkMv.exe(LegalCopyright l!OriginalFilenamezSwFDPOAakOXeJZvuBrQbxaOOkMv.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00001bfc base_address: 0x00448000	success	1
1619134563.939408 WriteProcessMemory	process_identifier: 2576 buffer: p1 process_handle: 0x00001bfc base_address: 0x0044a000	success	1
1619134563.939408 WriteProcessMemory	process_identifier: 2576 buffer: @ process_handle: 0x00001bfc base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619134563.923408 WriteProcessMemory	process_identifier: 2576 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Å)_àR~q @ À@,qOø H.textQ R `.rsrcøT@@.reloc X@B process_handle: 0x00001bfc base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 called NtSetContextThread to modify thread in remote process 2576
1619134563.939408 NtSetContextThread	thread_handle: 0x0000849c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4485502 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2576	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 resumed a thread in remote process 2576
1619134564.126408 NtResumeThread	thread_handle: 0x0000849c suspend_count: 1 process_identifier: 2576	success	0	0

Executed a process and injected code into it, probably while unpacking (29 个事件)

Time & API	Arguments	Status	Return
1619134512.345408 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 472	success	0
1619134512.408408 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 472	success	0
1619134513.158408 NtResumeThread	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 472	success	0
1619134513.173408 NtResumeThread	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 472	success	0
1619134560.064408 NtResumeThread	thread_handle: 0x00009d44 suspend_count: 1 process_identifier: 472	success	0
1619134560.064408 NtResumeThread	thread_handle: 0x0000dbb4 suspend_count: 1 process_identifier: 472	success	0
1619134560.204408 NtResumeThread	thread_handle: 0x0000f8e8 suspend_count: 1 process_identifier: 472	success	0
1619134560.689408 CreateProcessInternalW	thread_identifier: 2652 thread_handle: 0x00000b3c process_identifier: 3036 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJbjAVYNgFovG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEFA.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000113d4 inherit_handles: 0	success	1
1619134563.267408 CreateProcessInternalW	thread_identifier: 2604 thread_handle: 0x0000b6ac process_identifier: 2272 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\094ed8f06b37845319686b3da7f77c42.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\094ed8f06b37845319686b3da7f77c42.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000d618 inherit_handles: 0	success	1
1619134563.283408 NtGetContextThread	thread_handle: 0x0000b6ac	success	0
1619134563.283408 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d618 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134563.626408 CreateProcessInternalW	thread_identifier: 2196 thread_handle: 0x000113ac process_identifier: 1816 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\094ed8f06b37845319686b3da7f77c42.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\094ed8f06b37845319686b3da7f77c42.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000113c0 inherit_handles: 0	success	1
1619134563.626408 NtGetContextThread	thread_handle: 0x000113ac	success	0
1619134563.626408 NtAllocateVirtualMemory	process_identifier: 1816 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000113c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619134563.923408 CreateProcessInternalW	thread_identifier: 2128 thread_handle: 0x0000849c process_identifier: 2576 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\094ed8f06b37845319686b3da7f77c42.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\094ed8f06b37845319686b3da7f77c42.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00001bfc inherit_handles: 0	success	1
1619134563.923408 NtGetContextThread	thread_handle: 0x0000849c	success	0
1619134563.923408 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00001bfc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619134563.923408 WriteProcessMemory	process_identifier: 2576 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Å)_àR~q @ À@,qOø H.textQ R `.rsrcøT@@.reloc X@B process_handle: 0x00001bfc base_address: 0x00400000	success	1
1619134563.923408 WriteProcessMemory	process_identifier: 2576 buffer: process_handle: 0x00001bfc base_address: 0x00402000	success	1
1619134563.939408 WriteProcessMemory	process_identifier: 2576 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNamezSwFDPOAakOXeJZvuBrQbxaOOkMv.exe(LegalCopyright l!OriginalFilenamezSwFDPOAakOXeJZvuBrQbxaOOkMv.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00001bfc base_address: 0x00448000	success	1
1619134563.939408 WriteProcessMemory	process_identifier: 2576 buffer: p1 process_handle: 0x00001bfc base_address: 0x0044a000	success	1
1619134563.939408 WriteProcessMemory	process_identifier: 2576 buffer: @ process_handle: 0x00001bfc base_address: 0x7efde008	success	1
1619134563.939408 NtSetContextThread	thread_handle: 0x0000849c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4485502 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2576	success	0
1619134564.126408 NtResumeThread	thread_handle: 0x0000849c suspend_count: 1 process_identifier: 2576	success	0
1619142181.686875 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2576	success	0
1619142181.795875 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2576	success	0
1619142196.483875 NtResumeThread	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2576	success	0
1619142196.592875 NtResumeThread	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2576	success	0
1619142199.233875 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2576	success	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43600402
FireEye	Generic.mg.094ed8f06b378453
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Qihoo-360	Generic/Trojan.289
McAfee	PWS-FCSU!094ED8F06B37
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.MSIL.Agent.4!c
Sangfor	Malware
K7AntiVirus	Trojan ( 0056bf781 )
BitDefender	Trojan.GenericKD.43600402
K7GW	Trojan ( 0056bf781 )
Cybereason	malicious.c63ec9
Cyren	W32/MSIL_Troj.SX.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Agent.gen
Alibaba	Trojan:MSIL/Formbook.06714725
NANO-Antivirus	Trojan.Win32.Kryptik.hrlmrd
Tencent	Msil.Trojan.Agent.Eyo
Ad-Aware	Trojan.GenericKD.43600402
Emsisoft	Trojan.GenericKD.43600402 (B)
Comodo	Malware@#39atgc5fx3yfu
F-Secure	Trojan.TR/Kryptik.pxkjs
DrWeb	Trojan.PackedNET.405
Zillya	Trojan.Agent.Win32.1362580
TrendMicro	TrojanSpy.MSIL.FORMBOOK.THIBDBO
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.MassLogger
GData	Trojan.GenericKD.43600402
Avira	TR/Kryptik.pxkjs
MAX	malware (ai score=83)
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Trojan.Win32.Kryptik.oa
Arcabit	Trojan.Generic.D2994A12
ZoneAlarm	HEUR:Trojan.MSIL.Agent.gen
Microsoft	Trojan:MSIL/Formbook.VN!MTB
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZemsilF.34670.Cm0@aOIzXSl
ALYac	Trojan.GenericKD.43600402
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Trojan.MalPack
Panda	Trj/CI.A
ESET-NOD32	a variant of MSIL/Kryptik.XFP
TrendMicro-HouseCall	TrojanSpy.MSIL.FORMBOOK.THIBDBO
Yandex	Trojan.Igent.bUdysY.53
SentinelOne	Static AI - Malicious PE

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-05 19:18:47

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.